#provenance

Node Package Managers · Part 10 — Supply-Chain Defense

A concrete defense playbook: ignore-scripts by default, audit, npm provenance and sigstore, scoped tokens with 2FA, minimum release age, SBOMs, lockfile linting, and a hardened CI install.