Skip to content

Maintenance: update lerna and implement npm provenance #1436

New issue
New issue
Closed
#1541
Closed
Maintenance: update lerna and implement npm provenance#1436
#1541
Assignees
dreamorosi
Labels
completedThis item is complete and has been merged/shippedinternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
@dreamorosi

Description

@dreamorosi
dreamorosi
opened on May 4, 2023

Summary

A couple of weeks ago GitHub announced a new feature called npm provenance.

npm packages built on a cloud CI/CD system (like GitHub Actions) can now publish with provenance, meaning the package has verifiable links back to its source code and build instructions.

At the time lerna, the package we use to publish our utilities to npm didn't support the feature, but version 6.6.2, which has just been released does.

We should go ahead and:

  • update lerna to 6.6.2 or newer
  • modify the workflow that makes the release to use this new feature

Why is this needed?

This way our customers can publicly establish where the Powertools for TypeScript package was built and who published, which can increase overall supply-chain confidence.

Which area does this relate to?

Governance

Solution

No response

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.

Metadata

Metadata

Assignees

Labels

completedThis item is complete and has been merged/shippedinternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Type

No type

Projects

Powertools for AWS Lambda (TypeScript)

Status

Shipped

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions