npm Provenance and SLSA: The Supply Chain Hygiene Baseline Every Team Needs in 2026

The Axios supply chain attack exposed a critical gap: provenance attestations existed but a legacy token bypassed them entirely. Here is how to close that gap with npm provenance, SLSA level 2, and automated SCA checks.