Audit npm package trust signals in an era of increasing supply chain attacks
npm-diff.app was created as a tool to audit updates of packages to ensure safe and stable upgrades. Making updates in a safe and defensive way has become increasingly important over the years, with package hijacking and takeovers becoming increasingly prevalent.
The new Source & Trust feature enables deeper auditing by linking releases to their original sources and evaluating their trust signals using the npm registry’s Provenance and Trusted Publishing features.
Source & Trust does not determine whether a package is safe. It helps you make better-informed trust decisions.
Provenance is a cryptographically signed attestation that links a package to its source code repository and build environment. When a package is published with provenance, npm records verifiable metadata about:
In practice, this lets you independently verify that a given package artifact corresponds to a specific source revision and build process.
Important: Provenance only guarantees traceability — you can verify where a package was built and published from. It does not guarantee that:
Trusted Publishing is npm’s recommended authentication method that eliminates the need for long-lived access tokens in CI/CD environments.
This reduces the use of stealable tokens, which are the primary attack vector in many package takeovers. This also helps ensure that a release is not published from a repository other than the one the maintainer has configured.
Important: Trusted publishing only guarantees that one particular release was published from the specified repository. It doesnot guarantee that any future releases will be published securely.
Read more:
When comparing releases that were published with provenance, npm-diff.app displays detailed information about the source and build environment for that release. This allows you to look up the exact commit, repository, and build workflow that was used to produce the package.
If a release was published using Trusted Publishing, npm-diff.app highlights this with a distinct “Trusted Publisher” badge in the source information panel.
In addition to presenting this information for manual auditing, npm-diff.app also highlights potential trust issues when comparing two releases. These warnings are designed to draw attention to changes that may warrant further investigation:
The older version had verifiable provenance, but the newer version does not. This means you can no longer verify where the package was built or trace it back to source code.
The older version was published using Trusted Publishing, but the newer version was published with a legacy npm token. This increases the risk of token compromise.
Both versions have provenance, but they point to different repositories. This could indicate a package takeover or legitimate repository migration.
The build workflow file name has changed between versions. While this may be a legitimate refactor, it’s worth reviewing to ensure the new workflow maintains security best practices.