This Content is from Stack Overflow. Question asked by Johannes Ewald
Since npm v8.15.0 there’s a
npm audit signatures command which will check each package’s signature using npm’s public key.
I don’t understand why this is an extra layer of security. Given that npm is already using HTTPS and that it’s already checking the package’s integrity with the checksum from
package-lock.json, what kind of attack does this prevent?
If the package was signed by the package author, it would be a different story.
This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.
This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.