Skip to content

Improve supply-chain transparency: repository links, npm provenance, community disclaimer #26

Closed
Closed
Improve supply-chain transparency: repository links, npm provenance, community disclaimer#26
@apatecthelian

Description

@apatecthelian
apatecthelian
opened on Mar 26, 2026

The published npm packages (@atlassian-dc-mcp/jira, @atlassian-dc-mcp/confluence, @atlassian-dc-mcp/bitbucket, @atlassian-dc-mcp/common) currently lack some standard metadata that helps users verify their origin. The following three low-effort improvements would significantly increase supply-chain transparency for enterprise adopters.

1. Add repository / homepage / bugs fields to all package.json files

Problem: The npm package pages do not link back to this GitHub repository. This means:

  • npm does not display a source-code link on the package page
  • Users cannot easily verify the package comes from this repository
  • Automated tools (e.g. npm audit, Snyk, Socket) cannot correlate the package to its source
    Proposed change: Add the following fields to the root package.json and all workspace package.json files:
{
  "repository": {
    "type": "git",
    "url": "https://github.com/b1ff/atlassian-dc-mcp.git",
    "directory": "packages/<package-name>"
  },
  "homepage": "https://github.com/b1ff/atlassian-dc-mcp#readme",
  "bugs": {
    "url": "https://github.com/b1ff/atlassian-dc-mcp/issues"
  }
}

2. Enable npm provenance in CI publish pipeline

Problem: There is currently no cryptographic link between the npm package and the GitHub Actions build that produced it. Users have to trust that the package on npm matches the source code on GitHub.
What provenance does: npm provenance (via Sigstore) creates a signed, verifiable attestation that proves:

  • Which GitHub repository produced the package
  • Which commit was used
  • Which CI workflow built it
    Proposed change in .github/workflows/npm-publish.yml:
  1. Add id-token: write permission to the publish-npm job: 
    permissions:
  contents: write
  id-token: write
  2. Set NPM_CONFIG_PROVENANCE=true before the lerna publish command (or add --provenance to the npm publish call).
    After this change, the npm package pages will display a green "Provenance" badge linking back to the exact GitHub Actions run.

3. Add a community disclaimer to README and package descriptions

Problem: The @atlassian-dc-mcp scope name could be mistaken for an official Atlassian package. Users evaluating this for enterprise use need a clear signal that this is a community-maintained project.
Proposed changes:
Add a short disclaimer at the top of the root README.md:

> **Note:** This is a community-maintained project and is **not affiliated with, endorsed by, or supported by Atlassian**.
> Use at your own discretion.

Add a description field to each published package.json:

{
  "description": "Community-maintained MCP server for Atlassian Jira Data Center. Not affiliated with Atlassian."
}

Summary

Improvement Effort Impact
repository / homepage / bugs fields Low (metadata only) npm links to source, tool compatibility
npm provenance Low (CI config change) Cryptographic proof: npm package = GitHub code
Community disclaimer Low (docs only) Clear expectation management for enterprise users
None of these changes affect runtime behavior. They are purely metadata, CI configuration, and documentation improvements.
I'd be happy to contribute a PR for any or all of these if you're interested.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions