JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 99
  • Score
    100M100P100Q70269F
  • License Apache-2.0

Verifiable-credential supply chain compliance for npm. Sign attestations, verify dependencies, revoke compromised packages.

Package Exports

  • @ajna-inc/npmvc
  • @ajna-inc/npmvc/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@ajna-inc/npmvc) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@ajna-inc/npmvc

Supply-chain credential system for npm. Sign attestations when you publish, verify every dependency when you install.

Pure TypeScript. Zero native dependencies. Works everywhere npm runs.

Quick start — consumer

npx @ajna-inc/npmvc install-hook

Every npm install now verifies signatures, age, publisher continuity, lifecycle scripts, and audit credentials across your entire dep tree.

Quick start — publisher

npx @ajna-inc/npmvc init
npm pkg set scripts.prepack="npmvc attest"
npm pkg set files='["dist", ".ajna"]' --json

Every npm publish now signs Provenance + SBOM + Lifecycle credentials.

What gets checked

  • Signatures — DSSE envelopes verified against publisher DID (ed25519)
  • Age — versions younger than minAge (default 7d) are flagged
  • Publisher continuity — DID changes across versions trigger warnings
  • Lifecycle scriptspostinstall flagged unless whitelisted
  • Transitive deps — full lockfile tree (npm, pnpm, yarn)
  • Audit credentials — third-party scanner verdicts (Socket, Snyk)
  • Revocation — revoked credentials are flagged
  • SBOM — CycloneDX SBOM signed and bundled

CI/CD

# GitHub Actions
- name: Attest
  env:
    NPMVC_KEY: ${{ secrets.NPMVC_KEY }}
  run: npx @ajna-inc/npmvc attest

Set NPMVC_KEY as a repository secret containing your ~/.npmvc/wallet/key.json.

Key management

npmvc wallet export --passphrase "..." > key.enc    # encrypted backup
npmvc wallet import --passphrase "..." --input key.enc  # restore
npmvc credential handover --package my-lib --to did🔑z6Mk...  # transfer

Registry

Sync attestations to npmvc.com for public verification:

npmvc register --name my-company --registry https://npmvc.com
npmvc attest --registry https://npmvc.com

Badge: ![npmvc](https://npmvc.com/api/badge/my-lib)

Commands

Command Purpose
init Create publisher DID
attest Sign attestations
verify Verify dep tree
audit publish Issue audit credential
audit import Import audit envelope
register Register on npmvc registry
credential revoke Revoke a credential
credential handover Transfer to new maintainer
wallet export Encrypted key backup
wallet import Restore key from backup
policy init Create default policy
install-hook Add preinstall hook

Policy

Edit npmvc-policy.json:

{
  "enforcement": "block",
  "minAge": "7d",
  "unattested": "warn",
  "publisherContinuity": {
    "required": true,
    "onUnauthorizedChange": "block",
    "pinned": { "express": "did🔑z6Mk..." }
  }
}

License

Apache-2.0