Security and Supply Chain
Security and Supply Chain
RevoGrid Pro and RevoGrid Enterprise releases include supply-chain metadata for customers who need to review package contents, dependency metadata, and release authenticity.
For the public security policy, vulnerability reporting process, and response targets, see the RevoGrid Security Policy.
Release Artifacts
Each release publishes restricted npm packages through GitHub Packages:
@revolist/revogrid-pro@revolist/revogrid-enterprise
Release packages are built in GitHub Actions. The same package tarball that is signed is published to GitHub Packages.
SBOM Files
Each release includes Software Bill of Materials (SBOM) files for dependency review:
- SPDX JSON:
sbom.spdx.json - CycloneDX JSON:
sbom.cdx.json
The SBOM files are included in the package dist output and are also generated as release artifacts during the publish workflow.
Release Signatures
RevoGrid Pro and Enterprise npm tarballs are signed with Sigstore Cosign keyless signing in the official release workflow.
For each package tarball, the release includes a matching Sigstore bundle:
<package>.tgz<package>.tgz.sigstore.jsonThe Sigstore bundle records the GitHub Actions identity used to sign the package and can be used to verify that the tarball was signed by the RevoGrid release workflow.
Verify a Package
Download the package tarball and its matching .sigstore.json bundle from the GitHub Release, then run:
cosign verify-blob ./revolist-revogrid-pro-*.tgz \ --bundle ./revolist-revogrid-pro-*.tgz.sigstore.json \ --certificate-identity-regexp 'https://github.com/.*/.github/workflows/publish.yml@.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.comFor Enterprise packages, use the Enterprise tarball and bundle:
cosign verify-blob ./revolist-revogrid-enterprise-*.tgz \ --bundle ./revolist-revogrid-enterprise-*.tgz.sigstore.json \ --certificate-identity-regexp 'https://github.com/.*/.github/workflows/publish.yml@.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com