node-dependencies/require-provenance-deps
Require provenance information for dependencies
📖 Rule Details
This rule reports dependency entries whose allowed version range includes packages that don't publish provenance attestations on the npm registry. It checks dependencies and peerDependencies by default, and can optionally check devDependencies.
jsonc
/* eslint "node-dependencies/require-provenance-deps": "error" */
{
"dependencies": {
"eslint": "^9.39.0" /* ✓ GOOD: All resolved versions provide provenance information. */
}
}jsonc
/* eslint "node-dependencies/require-provenance-deps": "error" */
{
"dependencies": {
"eslint": "^9.0.0", /* ✓ BAD: Reports because versions <=9.38.0 lack provenance attestations. */
"babel-eslint": "^10" /* ✗ BAD: Reports because versions 10.0.0 - 10.1.0 lack provenance attestations. */
}
}The rule fetches npm metadata to determine which published versions expose provenance data. If no metadata is available for the package/range, the dependency is ignored.
🔧 Options
json
{
"node-dependencies/require-provenance-deps": ["error", {
"devDependencies": false,
"allows": []
}]
}devDependencies… Whentrue, the rule also inspectsdevDependencies.allows… An array of package names to ignore, even if they don't publish provenance data.
💡 Examples
jsonc
/* eslint "node-dependencies/require-provenance-deps": ["error", {"devDependencies": true}] */
{
"devDependencies": {
"eslint": "^9.0.0" /* ✗ BAD: Reported once devDependencies are included. */
}
}jsonc
/* eslint "node-dependencies/require-provenance-deps": ["error", {"allows": ["eslint"]}] */
{
"dependencies": {
"eslint": "^9.0.0" /* ✓ GOOD: Explicitly allowed via the allows option. */
}
}📚 Further reading
🚀 Version
This rule was introduced in eslint-plugin-node-dependencies v1.2.0