npm provenance general availability

npm provenance is now generally available.

npm packages built on a supported cloud CI/CD system can publish with provenance. Today this includes GitHub Actions and GitLab CI/CD.

Publishing with provenance verifiably links the package back to its source repository and build instructions. Provenance is restricted to public packages and public source repositories only.

npm will check the linked source commit and repository when you view a package's provenance information on npmjs.com. If the linked source commit or repository cannot be found, an error displays at the top of the page and alongside the provenance information to let you know that provenance for this package can no longer be established. This can happen when a repository is deleted or made private.

Once published, packages display provenance on the registry website:

Provenance displayed on the registry website

For more information, see generating provenance.

Breaking change to GitHub Copilot service endpoints

Starting tomorrow Tuesday, September 26, 2023 we are updating the service endpoints for organizations with GitHub Copilot Chat beta enabled. If your organization uses a firewall to restrict network traffic, we recommend updating your allowlist to include *.githubcopilot.com if you haven’t done so already. This endpoint is required to deliver Copilot Chat messages.

If you are not ready to upgrade to this new endpoint, you can pin your GitHub Copilot Chat version to 0.7.1 or earlier.

If your organization doesn’t use a firewall to restrict network traffic, then no change is necessary. For a complete list of GitHub Copilot service endpoints, see our docs.

See more

GitHub Actions: Transitioning from Node 16 to Node 20

Node 16 has reached its end of life, prompting us to initiate its deprecation process for GitHub Actions. Our plan is to transition all actions to run on Node 20 by Spring 2024. We will actively monitor the migration's progress and gather community feedback before finalizing the transition date. Starting October 23rd, workflows containing actions running on Node 16 will display a warning to alert users about the upcoming migration.

What you need to do

For Actions maintainers

Modify your actions to run on Node 20 instead of Node 16. For guidance, refer to the Actions configuration settings.

For Actions users

Ensure your workflows use the latest versions of actions that are running on Node 20. For more information, see Using Versions for Actions.

For self-hosted runner administrators:

Update your self-hosted runners to runner version v2.308.0 or later to ensure compatibility with Node 20 actions.

See more
View all changes