Reply to post:

GitHub debuts pedigree check for npm packages via Actions

Doctor Syntax Silver badge

Is there anything in this that prevents anyone who wishes to deliberately plant malware in a repository from adding a --provenance flag? Granted it would be very naughty but anyone deliberately sneaking in malware is already being very naughty so a bit of extra naughtiness isn't going to worry them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon