Ledger Live™ is now Ledger Wallet™ and Ledger hardware wallets are now Ledger signers. Updating all references. Learn more here
For dApps & ServicesLedger Wallet ProviderBuildPackage Attestation

NPM package attestation verification

 ☞   Publish Attestation is enabled for our ledger-button package. It links the published package to its source and build instructions, improving supply-chain transparency.

Understanding provenance and attestation

What is npm provenance?

npm can show two attestations:

Provenance Attestation  Publish Attestation
  • • Links a package to its repo and build process
  • • Indicates where/how it was built
  • • Lets you verify origin pre-install
  • • Created by the registry at publish time by an authorized user
  • • Signed via Sigstore
  • • Recorded in a public transparency log

Both are public and help verify origin.

About Sigstore

npm’s publish attestation is implemented via Sigstore. When Ledger enables publish attestation for ledger-button, the registry:

  • Issues a short‑lived certificate that binds the publisher’s identity to the specific release
  • Records the attestation in a public transparency log for tamper‑evidence

This proves who published the package and when, and links the artifact to its source/build instructions. It does not review or audit the package’s code.

⚠️

Provenance does not guarantee code safety. It only proves origin and build details so you can decide whether to trust the package.

npm vs pnpm: When verification happens and how trust is enforced

pnpm (recommended)npm
enforces trust during install and can block untrusted direct or transitive depsVerifies after install via a separate command

Configure verification and trust policy

Trust policy configuration

With pnpm, verification is part of installation. If a package violates trust policy, install is blocked, thanks to the following setting:

pnpm-workspace.yamls
# Block installation if trust level decreases
trustPolicy: no-downgrade
 
# Optional exceptions (use sparingly)
# trustPolicyExclude:
#   - some-legacy-package

pnpm compares trust before extraction. If a newer publish has less evidence than earlier publishes in the same release channel, it blocks the install.

Trust policy exceptions

Add safe, verified packages to exclusions if needed:

pnpm-workspace.yamls
# Block installation if trust level decreases
trustPolicy: no-downgrade
 
# Optional exceptions (use sparingly)
trustPolicyExclude:
    - some-legacy-package
⚠️

Only exclude packages you have verified are safe; exclusions bypass trust checks for that package.

Installation

pnpm install

Verification outcomes

What to expect from pnpm

  • Enforces trust policy during install
  • Based on publish date, not semver
  • Applies to transitive dependencies
  • Blocks the entire install if any dependency fails

Example error

ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "package-name@version"
(possible package takeover)
 
Trust checks are based on publish date. If any earlier-published version had stronger trust,
this version is blocked.

Transitive dependency protection example

In this example, pnpm blocked a downgrade in a transitive dep (undici-types) while installing @ledgerhq/context-module:

ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "undici-types@6.19.8"
(possible package takeover)
 
This error happened while installing the dependencies of `@ledgerhq/context-module`
    at ethers@6.14.1
    at @types/node@22.7.5

Dependency chain: context-moduleethers@types/nodeundici-types

How pnpm compares prerelease and stable versions

pnpm evaluates trust within the same release channel:

  • Prerelease versions (0.0.0-*, 1.0.0-beta.1) compared against other prereleases
  • Stable versions (1.0.0, 2.3.4) compared against other stable versions
⚠️

Prereleases are not compared to stables. Trust can only downgrade within the same channel.

Example

  • 0.0.0-develop-20251126 (prerelease) has attestation → sets prerelease baseline
  • 0.0.0-develop-20251128 (prerelease) lacks attestation → BLOCKED (trust downgrade in prerelease)
  • 1.11.0 (stable) lacks attestation → NOT blocked (no prior stable had attestation)

pnpm vs npm: at a glance

Aspectpnpm (recommended)npm
When verification happensDuring install (pre‑install block)After install (reactive check)
Blocks untrusted packagesYes (automatic)No (manual check)
Requires separate commandNoYes (npm audit signatures)
Policy enforcementtrustPolicy: no-downgradeNone
Checks transitive depsYes (blocks before install)Yes (after install only)
Comparison basisPublish date and trust signalsN/A

Reference URLs

Get StartedConfiguration
Ledger
Copyright © Ledger SAS. All rights reserved. Ledger, Ledger Stax, Ledger Flex, Ledger Nano, Ledger Nano S, Ledger OS, Ledger Wallet, [LEDGER] (logo), [L] (logo) are trademarks owned by Ledger SAS.