NPM Audit Signatures issue on 11.0.3

[nicholasgriffintn]

Hey, just tried publishing our package which does signature checks before going out to NPM.

Errored with the following on those signature checks:

1 package has an invalid attestation:

@semantic-release/npm@11.0.3 (https://registry.npmjs.org/)

Someone might have tampered with this package since it was published on the registry!

Seems to be fine with 11.0.2. Also, this version is showing checked on NPM, so not entirely sure on the issue here, maybe something to check out?

[travi]

A change was made to what is stored in sigstore when generating provenance before that version of our npm package was published. The latest npm cli is updated to handle the updated details, but it's not included with node yet. See npm/cli#7279 for more details.

[nicholasgriffintn]

Ahh yeah I got this error too on our package after publishing, forgot to update.

Thanks for the link.