Skip to content

vadimpiven/node-addon-slsa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
.cache
.cache
 
 
.claude
.claude
 
 
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.husky
.husky
 
 
.vscode
.vscode
 
 
.zed
.zed
 
 
packages
packages
 
 
patches
patches
 
 
.codecov.yml
.codecov.yml
 
 
.editorconfig
.editorconfig
 
 
.env.example
.env.example
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.gitleaks.toml
.gitleaks.toml
 
 
.markdownlint-cli2.jsonc
.markdownlint-cli2.jsonc
 
 
.mise-version
.mise-version
 
 
.npmrc
.npmrc
 
 
.oxfmtrc.json
.oxfmtrc.json
 
 
.oxlintrc.json
.oxlintrc.json
 
 
CLAUDE.md
CLAUDE.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE-APACHE.txt
LICENSE-APACHE.txt
 
 
LICENSE-MIT.txt
LICENSE-MIT.txt
 
 
NOTICE.txt
NOTICE.txt
 
 
README.md
README.md
 
 
mise.lock
mise.lock
 
 
mise.toml
mise.toml
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
pnpm-workspace.yaml
pnpm-workspace.yaml
 
 
taplo.toml
taplo.toml
 
 
trivy.yaml
trivy.yaml
 
 
typos.toml
typos.toml
 
 

Repository files navigation

GitHub repo npm version API docs Ask DeepWiki CI status Test coverage Supply-chain score

Open in GitHub Codespaces

node-addon-slsa

You npm install a package with a prebuilt .node binary. The package is signed — but how do you know the binary was built from the same source? You don't, unless both artifacts are verified against the same CI run.

node-addon-slsa cross-checks sigstore npm provenance with the Rekor transparency log to confirm the package and its binary were produced by the same GitHub Actions workflow run. If they were not, installation aborts with a SECURITY error.

npm install node-addon-slsa

Usage

{
  "addon": {
    "path": "./dist/my_addon.node"
  },
  "scripts": {
    "postinstall": "slsa wget",
    "pack-addon": "slsa pack"
  }
}

Download URLs live in the generated slsa-manifest.json alongside the binary's SHA-256 and sigstore sidecar URL; the publish workflow writes it into the published tarball.

Programmatic API:

import { verifyPackage } from "node-addon-slsa";

const provenance = await verifyPackage({
  packageName: "my-native-addon",
  repo: "owner/repo",
});

await provenance.verifyAddonFromFile("/path/to/addon.node.gz");

Setup guide, threat model, and full API reference (including requireAddon, options, error handling): packages/node-addon-slsa/README.md

The published npm package lives in packages/node-addon-slsa/; workspace-internal primitives live in packages/internal/ as @node-addon-slsa/internal. See packages/README.md for the layout.

Contributing

See CONTRIBUTING.md.

License

Apache-2.0 OR MIT — see LICENSE-APACHE.txt and LICENSE-MIT.txt.

About

Provenance verification for prebuilt native addons with GitHub attestations

npmjs.com/package/node-addon-slsa

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE.txt
MIT
LICENSE-MIT.txt

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 30

v0.9.1 Latest
Apr 22, 2026
+ 29 releases

Sponsor this project

Contributors

Languages