From b17ee4be0e51941499a52c5a9e2aca06e8c5d04d Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Thu, 28 May 2026 11:36:00 +0200
Subject: [PATCH 1/2] chore(NODE-7599): update documentation for releases

---
 README.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cdb06f9..248d323 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ npm install @mongodb-js/zstd
 
 ### Release Integrity
 
-Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). All release packages provided as part of a GitHub release are signed. To verify the provided packages, download the key and import it using gpg:
 
 ```
 gpg --import node-driver.asc
@@ -34,10 +34,16 @@ gpg --verify mongodb-js-zstd-X.Y.Z.tgz.sig mongodb-js-zstd-X.Y.Z.tgz
 ```
 
 >[!Note]
-No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+No GPG verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
 
 To verify the native `.node` packages, follow the same steps as above using `mongodb-js-zstd-X.Y.Z-platform.tgz` and the corresponding `.sig` file.
 
+Releases published to the npm registry also include a [provenance attestation](https://docs.npmjs.com/generating-provenance-statements), which cryptographically links the package to its source repository and build workflow. To verify provenance:
+
+```shell
+npm audit signatures
+```
+
 ## MongoDB Node.js Driver Version Compatibility
 
 Only the following version combinations with the [MongoDB Node.js Driver](https://github.com/mongodb/node-mongodb-native) are considered stable.

From 57627d8dc24d1c24b8bfa1f0d2f0bf82fda2ed41 Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Thu, 28 May 2026 12:09:09 +0200
Subject: [PATCH 2/2] Github -> GitHub

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 248d323..6673bcd 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ gpg --verify mongodb-js-zstd-X.Y.Z.tgz.sig mongodb-js-zstd-X.Y.Z.tgz
 ```
 
 >[!Note]
-No GPG verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+No GPG verification is done when using npm to install the package. The contents of the GitHub tarball and npm's tarball are identical.
 
 To verify the native `.node` packages, follow the same steps as above using `mongodb-js-zstd-X.Y.Z-platform.tgz` and the corresponding `.sig` file.