Provide release commit when publishing to NPM

[JasonRShaver]

Search Terms

npm, commit, githead

Suggestion

In order to participate in a secure software supply chain, TypeScript should provide the release commit in the package.json's githead property for releases made to npmjs.org.

Use Cases

This field is used to establish the provenance of artifacts downloaded from NPM and can be used to validate the received artifact matches the original sources. This field also enables other ecosystem tools such as sourcegraph and clearlydefined.io.

Checklist

My suggestion meets these guidelines:

• This wouldn't be a breaking change in existing TypeScript/JavaScript code
• This wouldn't change the runtime behavior of existing JavaScript code
• This could be implemented without emitting different JS based on the types of the expressions
• This isn't a runtime feature (e.g. library functionality, non-ECMAScript syntax with JavaScript output, etc.)
• This feature would agree with the rest of TypeScript's Design Goals.

[orta]

We deploy in a separate vm from one with access to the git repo for security - is there a way to set this commit without fs git access?

[RyanCavanaugh]

I think we could have the gulp LKG script modify package.json according to the current git HEAD, since the things we publish to npm are solely outputs of that process

cc @weswigham for npm opinions

[weswigham]

This is one of the fields that npm generates on publish, right; if we're missing it, it's an npm bug, afaik, since npm pack is supposed to add all the generated fields to the package.json in the tarball it packs.