Missing commits, tags and releases - adding immutability and provenance #814
Description
New releases of fast-xml-parser have appeared in npm over the last few weeks where tags, releases and/or changelog entries have been lagging or absent. Most of these appear to have been in response to bugs and/or CVEs.
For example, the latest release at the time of writing is 5.5.9, but there is no commit, tag, release or changelog entry associated with that release that I can see in this repository.
Tools such as dependabot and renovate will raise pull requests to update the package when new versions are available, but there is no obvious sign of why that update was produced and what changes it contains.
In the light of various recent supply chain compromises (e.g. GHSA-69fq-xp46-6x23), this can create suspicion and uncertainty of whether to trust such updates when there are no obvious signs that the release was intentional and done by the maintainer(s).
Coupled with publishing not appearing to be ever be done from CI, and thus lacking provenance, releases such as 5.5.9 are currently indistinguishable from a supply chain compromise (no commits in Git, no tags, no release, no changelog). The package could contain anything and have come from anywhere.
To be clear, I don't currently think 5.5.9 is compromised, but there is uncertainty as to why it exists.
To improve supply-chain security, reduce user uncertainty, and increase change visibility, I would recommend this project:
- Ensure commits for a release are pushed to GitHub before publishing
- Ensure npm releases are published from a tag
- Create releases that are associated with tags
- Enable immutable releases to stop tags' commits being changed
- Publish to npm from GitHub Actions using OIDC to avoid API key compromises
- Enable provenance when publishing
- Update the changelog before, or in soon after, a release.