NodeSecure · fraxken · Mar 28, 2026 · Mar 28, 2026
diff --git a/.changeset/fiery-ideas-peel.md b/.changeset/fiery-ideas-peel.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": patch
+---
+
+Add attestations on first dependency enrichment
diff --git a/workspaces/scanner/src/registry/NpmRegistryProvider.ts b/workspaces/scanner/src/registry/NpmRegistryProvider.ts
@@ -123,7 +123,8 @@ export class NpmRegistryProvider {
       flags: Object.keys(flags).filter((key) => flags[key]),
       version: {
         links: getLinks(packumentVersion),
-        deprecated: packumentVersion.deprecated
+        deprecated: packumentVersion.deprecated,
+        attestations: packumentVersion.dist.attestations
       }
     };
   }

diff --git a/workspaces/scanner/test/NpmRegistryProvider.spec.ts b/workspaces/scanner/test/NpmRegistryProvider.spec.ts
@@ -758,6 +758,28 @@ describe("NpmRegistryProvider", () => {
       });
     });
 
+    test("should enrich dependency with attestations for a package with provenance", async() => {
+      const dependency = {
+        metadata: {},
+        versions: {
+          "3.1.0": {
+            flags: []
+          }
+        }
+      } as unknown as Dependency;
+      const logger = new Logger().start("registry");
+      const provider = new NpmRegistryProvider("@nodesecure/cli", "3.1.0");
+
+      await provider.enrichDependency(logger, dependency);
+
+      assert.deepEqual(dependency.versions["3.1.0"]!.attestations, {
+        url: "https://registry.npmjs.org/-/npm/v1/attestations/@nodesecure%2fcli@3.1.0",
+        provenance: {
+          predicateType: "https://slsa.dev/provenance/v1"
+        }
+      });
+    });
+
     test("should detect and flag deprecated package versions", async() => {
       const dependency = {
         metadata: {},