v1.0.0

is-verified-pkg v1.0.0

Project Overview

A lightweight utility designed to verify the presence of OIDC provenance and Sigstore attestations for npm packages. This tool allows developers and CI/CD pipelines to confirm if a package was published by a Trusted Publisher (e.g., GitHub Actions) rather than a manual, potentially unverified upload.

---

Core Features

• Zero Dependencies: Utilizes native Node.js fetch and AbortController.
• Dual-Stack Distribution: Provides optimized CommonJS (.cjs) and ESM (.mjs) builds.
• TypeScript Support: Includes minified .d.cts and .d.mts definition files for full IntelliSense support.
• Integrated CLI: A standalone, bundled execution script for terminal-based verification.
• Performance Optimized: Total package size is under 1KB through aggressive minification and mangling.

---

Installation

npm install is-verified-pkg

---

Library Usage

ESM

import { isVerified } from 'is-verified-pkg';

const verified = await isVerified('esbuild');
if (verified) {
  // Proceed with trusted execution
}

CommonJS

const { isVerified } = require('is-verified-pkg');

isVerified('zod').then(ok => {
  if (ok) console.log('Package is verified');
});

---

CLI Reference

The CLI returns an exit code of 0 on success and 1 on failure, making it compatible with shell scripts and CI environments.

# Basic check
npx is-verified-pkg <package-name>

# Version-specific check
npx is-verified-pkg <package-name> <version>

---

Technical Specification

• Registry Interfacing: Queries https://registry.npmjs.org/ for package metadata.
• Verification Logic: Validates trustedPublisher metadata and sigstore.bundle attestations within the dist object.
• Timeout: Requests are governed by a 5000ms abort signal to prevent process hanging.
• Compliance: Linted with oxlint using optional catch binding for modern engine compatibility.

---

License

MIT