mongodb 7.2.0-dev.20260520.sha.90f6967e → 7.2.0-dev.20260530.sha.d2b828ba
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -22,7 +22,7 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js.
|
|
|
22
22
|
|
|
23
23
|
### Release Integrity
|
|
24
24
|
|
|
25
|
-
Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc).
|
|
25
|
+
Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). All release packages provided as part of a GitHub release are signed. To verify the provided packages, download the key and import it using gpg:
|
|
26
26
|
|
|
27
27
|
```shell
|
|
28
28
|
gpg --import node-driver.asc
|
|
@@ -46,7 +46,13 @@ gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz
|
|
|
46
46
|
```
|
|
47
47
|
|
|
48
48
|
> [!Note]
|
|
49
|
-
> No verification is done when using npm to install the package. The contents of the
|
|
49
|
+
> No GPG verification is done when using npm to install the package. The contents of the GitHub tarball and npm's tarball are identical.
|
|
50
|
+
|
|
51
|
+
Releases published to the npm registry also include a [provenance attestation](https://docs.npmjs.com/generating-provenance-statements), which cryptographically links the package to its source repository and build workflow. To verify provenance:
|
|
52
|
+
|
|
53
|
+
```shell
|
|
54
|
+
npm audit signatures
|
|
55
|
+
```
|
|
50
56
|
|
|
51
57
|
The MongoDB Node.js driver follows [semantic versioning](https://semver.org/) for its releases.
|
|
52
58
|
|