Warn when the npm provenance source commit or repository cannot be found

npm will now check the linked source commit and repository when you view a package's provenance information on npmjs.com. If the linked source commit or repository cannot be found, an error displays at the top of the page and alongside the provenance information to let you know that provenance for this package can no longer be established. This can happen when a repository is deleted or made private.

Note: In future releases, publishing a public package with provenance from a private source repository will not be allowed.

Read more about viewing npm provenance and publishing with provenance.

JUN.17Improvement
Secret scanning updates – June 2026
- Application Security
JUN.16Release
GitHub Code Quality generally available July 20, 2026
- Application Security
JUN.16Release
Organization-level enablement for GitHub Code Quality
- Application Security
JUN.10Improvement
Incremental analysis for Go, C/C++, and CodeQL CLI
- Application Security
JUN.10Improvement
Dedicated security review command now available in Copilot CLI
- Application Security
JUN.9Release
Periodic code scanning of inactive repositories
- Application Security
JUN.9Improvement
Security validation for third-party coding agents
- Application Security
JUN.5Improvement
CodeQL 2.25.6 adds Swift 6.3.2 support and improves C# coverage
- Application Security
JUN.2Release
Cloud and local sandboxes for GitHub Copilot now in public preview
- Application Security

Warn when the npm provenance source commit or repository cannot be found

Related Posts

Subscribe to our developer newsletter