It'd be very useful to be able to list the packages which don't have provenance.
We could have a stricter mode of that where it lists those without trusted/oidc publishing too.
Basically, I imagine some kind of --trusted-publisher=provenance / --trusted-publisher=oidc setting we can turn on
The node modules inspector already visualises this so the logic probably exists somewhere there.
It'd be very useful to be able to list the packages which don't have provenance.
We could have a stricter mode of that where it lists those without trusted/oidc publishing too.
Basically, I imagine some kind of
--trusted-publisher=provenance/--trusted-publisher=oidcsetting we can turn onThe node modules inspector already visualises this so the logic probably exists somewhere there.