[BUG] `ini@4.1.2` has an invalid attestation
sjinks opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
npm audit signatures
complains:
1 package has an invalid attestation:
ini@4.1.2 (https://registry.npmjs.org/)
Someone might have tampered with this package since it was published on the registry!
Expected Behavior
No errors about package attestation
Steps To Reproduce
npm init -y
npm i ini
npm audit signatures
Test repo: https://github.com/sjinks/test-ini
Action log: https://github.com/sjinks/test-ini/actions/runs/8242432839/job/22541375637
Environment
- npm: 10.2.4
- Node: v20.11.1
- OS: Ubuntu 22.04.4 LTS
- platform: amd64
ini@4.1.1
is OK:
$ npm i ini@4.1.1
changed 1 package, and audited 2 packages in 709ms
found 0 vulnerabilities
$ npm audit signatures
audited 1 package in 1s
1 package has a verified registry signature
1 package has a verified attestation
Does not happen in npm 10.5.0: npm/cli#7279