Changelog

jsr-io/jsr · · 5 commits

Security fixes, tracing sampling, and hardening

JSR tightened provenance verification and auth state handling, added 5% OTLP sampling, and hardened frontend responses.

Provenance verification now checks DSSE signatures and repo identity (crowlKats5ff1f81)

JSR now rejects forged provenance bundles by verifying the DSSE signature itself and binding the Fulcio certificate to the package’s linked GitHub repository. This closes a gap where a valid certificate plus a fake envelope could have been accepted, preventing untrusted packages from gaining a provenance badge.

OAuth state is now tied to the initiating user (crowlKats466118f)

The OAuth state flow now stores and returns a user_id, ensuring the callback is matched to the same user who started the login. That hardens the auth flow against state reuse or cross-user confusion during sign-in.

OpenTelemetry export is sampled at 5% (crowlKats08e7a3d)

The OTLP tracer and bridged logs now use 5% sampling to cut export volume and cost, while keeping each sampled trace whole via parent-based trace sampling. Error/warn logs still bypass sampling, so incident data remains exported even when a trace is dropped.

Frontend and resolver hardening (crowlKatsae32a9f, crowlKats1c23d2a)

The frontend middleware adds CSP and related hardening headers, and manifest caching no longer uses stale-while-revalidate, reducing the chance that freshly published versions stay invisible behind stale edge responses. Together, these changes improve security and publication correctness.

Other misc changes

  • Dependency bumps and version alignment across Rust crates
  • Updated module graph error messages for newer Deno parsing output
  • Added unstable_css_imports: false to analysis paths