[BUG] `ini@4.1.2` has an invalid attestation

Question

[BUG] `ini@4.1.2` has an invalid attestation

sjinks opened this issue 5 months ago · comments

Volodymyr Kolesnykov commented 5 months ago

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

npm audit signatures complains:

1 package has an invalid attestation:

ini@4.1.2 (https://registry.npmjs.org/)

Someone might have tampered with this package since it was published on the registry!

Expected Behavior

No errors about package attestation

Steps To Reproduce

npm init -y
npm i ini
npm audit signatures

Test repo: https://github.com/sjinks/test-ini
Action log: https://github.com/sjinks/test-ini/actions/runs/8242432839/job/22541375637

Environment

npm: 10.2.4
Node: v20.11.1
OS: Ubuntu 22.04.4 LTS
platform: amd64

Volodymyr Kolesnykov · Answer 1 · Tue Mar 12 2024 10:02:31 GMT+0800 (China Standard Time)

ini@4.1.1 is OK:

$ npm i ini@4.1.1

changed 1 package, and audited 2 packages in 709ms

found 0 vulnerabilities

$ npm audit signatures
audited 1 package in 1s

1 package has a verified registry signature

1 package has a verified attestation

Volodymyr Kolesnykov · Answer 2 · Tue Apr 02 2024 23:07:03 GMT+0800 (China Standard Time)

Does not happen in npm 10.5.0: npm/cli#7279