What’s the benefit of `npm audit signatures`?

Issue

This Content is from Stack Overflow. Question asked by Johannes Ewald

Since npm v8.15.0 there’s a npm audit signatures command which will check each package’s signature using npm’s public key.

I don’t understand why this is an extra layer of security. Given that npm is already using HTTPS and that it’s already checking the package’s integrity with the checksum from package-lock.json, what kind of attack does this prevent?

If the package was signed by the package author, it would be a different story.



Solution

This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.


This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under the terms of 
CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.
people found this article helpful. What about you?