fix(core): improve error messages for provenance checks

[MaxKless]

Current Behavior

there are instances where the provenance checks might error out with unclear errors, leading to confusion.

Expected Behavior

the whole provenance check always throws a proper provenance error if it fails and some more common cases are handled.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
nx-dev	Ready	Preview	Sep 12, 2025 2:10pm

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 46a2a4a

Command	Status	Duration	Result
nx affected --targets=lint,test,build,e2e,e2e-c...	✅ Succeeded	39m 35s	View ↗
nx run-many -t check-imports check-commit check...	✅ Succeeded	2m 18s	View ↗
nx-cloud record -- nx-cloud conformance:check	✅ Succeeded	2s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	2s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	<1s	View ↗
nx documentation	✅ Succeeded	1m 2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-12 14:34:15 UTC

[nx-cloud]

Nx Cloud is proposing a fix for your failed CI:

We've fixed the formatting issue in the provenance.ts file by removing trailing whitespace on line 70. This ensures the file passes the format:check validation and maintains consistent code formatting across the codebase.

We verified this fix by re-running nx-cloud record -- nx format:check.

diff --git a/packages/nx/src/utils/provenance.ts b/packages/nx/src/utils/provenance.ts
index abb2a6219b..988cab9c7e 100644
--- a/packages/nx/src/utils/provenance.ts
+++ b/packages/nx/src/utils/provenance.ts
@@ -67,7 +67,7 @@ export async function ensurePackageHasProvenance(
     if (!jsonResponse || typeof jsonResponse !== 'object') {
       throw new Error('Invalid attestation response format');
     }
-    
+

     attestations = jsonResponse as { attestations: Attestation[] };
   } catch (error) {
     throw noProvenanceError(

    View interactive diff and more actions ↗

_{⚙️ An Nx Cloud workspace admin can disable these reviews in workspace settings.}

[graphite-app]

There appears to be a potential null reference issue in this code. After finding the provenance attestation, the code immediately tries to access provenanceAttestation.bundle.dsseEnvelope.payload without first verifying that provenanceAttestation exists.

Consider adding a null check after line 60:

if (!provenanceAttestation) {
  throw new ProvenanceError(
    packageName,
    packageVersion,
    'No provenance attestation found'
  );
}

This would prevent a runtime error if no matching attestation is found and provide a more descriptive error message.

Suggested change

	const provenanceAttestation = attestations?.attestations?.find(
	(a) => a.predicateType === 'https://slsa.dev/provenance/v1'
	);
	}
	if (workflowParameters?.path !== '.github/workflows/publish.yml') {
	throw noProvenanceError(
	packageName,
	packageVersion,
	'Publishing workflow does not match .github/workflows/publish.yml'
	const dsseEnvelopePayload = JSON.parse(
	Buffer.from(
	provenanceAttestation.bundle.dsseEnvelope.payload,
	'base64'
	).toString()
	const provenanceAttestation = attestations?.attestations?.find(
	(a) => a.predicateType === 'https://slsa.dev/provenance/v1'
	);
	if (!provenanceAttestation) {
	throw new ProvenanceError(
	packageName,
	packageVersion,
	'No provenance attestation found'
	);
	}
	const dsseEnvelopePayload = JSON.parse(
	Buffer.from(
	provenanceAttestation.bundle.dsseEnvelope.payload,
	'base64'
	).toString()

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Critical bug: The 'view' command has been removed from the npm command, making it invalid. The line should be ${pm} view ${pkg}@${version} ${args} not ${pm} ${pkg}@${version} ${args}. This will cause npm commands to fail with 'command not found' errors.

Suggested change

	const { stdout } = await execAsync(`${pm} ${pkg}@${version} ${args}`, {
	const { stdout } = await execAsync(`${pm} view ${pkg}@${version} ${args}`, {

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[JamesHenry]

@MaxKless this seems legit?

[graphite-app]

Critical null pointer bug: The code accesses npmViewResult.dist.integrity and dsseEnvelopePayload.subject[0].digest.sha512 without null checks. If dist, integrity, subject, or the first subject element is null/undefined, this will cause a TypeError. Add proper null checks before accessing these nested properties.

Suggested change

	const distSha = Buffer.from(
	npmViewResult.dist.integrity.replace('sha512-', ''),
	'base64'
	).toString('hex');
	const attestationSha = dsseEnvelopePayload.subject[0].digest.sha512;
	const distSha = Buffer.from(
	npmViewResult?.dist?.integrity?.replace('sha512-', '') ?? '',
	'base64'
	).toString('hex');
	const attestationSha = dsseEnvelopePayload?.subject?.[0]?.digest?.sha512;

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Logic error in error handling: The catch block uses error.message || error which will always evaluate to error.message when it exists, even if it's an empty string. This could result in empty error messages. Use error.message || String(error) or error?.message ?? String(error) to ensure a meaningful error message is always provided.

Suggested change

	throw new ProvenanceError(
	packageName,
	packageVersion,
	`Version ref does not match refs/tags/${npmViewResult.version}`
	error.message || error
	);
	throw new ProvenanceError(
	packageName,
	packageVersion,
	error.message || String(error)
	);

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[github-actions]

This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request.