Provenance verification now checks DSSE signatures and repo identity (
5ff1f81)
JSR now rejects forged provenance bundles by verifying the DSSE signature itself and binding the Fulcio certificate to the package’s linked GitHub repository. This closes a gap where a valid certificate plus a fake envelope could have been accepted, preventing untrusted packages from gaining a provenance badge.
OAuth state is now tied to the initiating user (
466118f)
The OAuth state flow now stores and returns a user_id, ensuring the callback is matched to the same user who started the login. That hardens the auth flow against state reuse or cross-user confusion during sign-in.
OpenTelemetry export is sampled at 5% (
08e7a3d)
The OTLP tracer and bridged logs now use 5% sampling to cut export volume and cost, while keeping each sampled trace whole via parent-based trace sampling. Error/warn logs still bypass sampling, so incident data remains exported even when a trace is dropped.
Frontend and resolver hardening (
ae32a9f,
1c23d2a)
The frontend middleware adds CSP and related hardening headers, and manifest caching no longer uses stale-while-revalidate, reducing the chance that freshly published versions stay invisible behind stale edge responses. Together, these changes improve security and publication correctness.
Other misc changes
- Dependency bumps and version alignment across Rust crates
- Updated module graph error messages for newer Deno parsing output
- Added
unstable_css_imports: falseto analysis paths