witness VS rfcs

We have lots of work to do. https://github.com/in-toto/witness

Full disclosure, I am a member of the steering committee for in-toto and the CEO of TestifySec which in the main contributor to Witness.

You may also want to look into Witness https://github.com/testifysec/witness

like Witness which helps attest that software was built with the process you’re trying to attest to it.

Verifying provenance across CI steps is what the in-toto project was designed to help with. We implement in-toto with our open-source projects, Witness and Archivist.

npm workspaces plus Wireit works far better than Lerna, in my experience.

https://github.com/google/wireit

Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.

I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706

It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md

This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626

npm also plans to support pnpm-style node_modules

(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)

I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors: