diff --git a/.changes/config.json b/.changes/config.json
index 37cddf30c..79c302e31 100644
--- a/.changes/config.json
+++ b/.changes/config.json
@@ -113,8 +113,8 @@
           "pipe": true
         },
         {
-          "command": "pnpm publish --access public --loglevel silly --tag next --provenance --no-git-checks",
-          "dryRunCommand": "npm publish --dry-run --access public --provenance --no-git-checks",
+          "command": "pnpm publish --access public --loglevel silly --tag next --no-git-checks",
+          "dryRunCommand": "npm publish --dry-run --access public --no-git-checks",
           "pipe": true
         },
         {
diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml
index 20654aafc..66a87ebaf 100644
--- a/.github/workflows/covector-version-or-publish.yml
+++ b/.github/workflows/covector-version-or-publish.yml
@@ -92,6 +92,7 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
           CARGO_AUDIT_OPTIONS: ${{ secrets.CARGO_AUDIT_OPTIONS }}
+          NPM_CONFIG_PROVENANCE: true
         with:
           command: 'version-or-publish'
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml
index 19b14f6f5..59a2b34b5 100644
--- a/.github/workflows/publish-cli-js.yml
+++ b/.github/workflows/publish-cli-js.yml
@@ -390,8 +390,9 @@ jobs:
       - name: Publish
         run: |
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-          npm publish --tag next --provenance
+          npm publish --tag next
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
           RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }}
+          NPM_CONFIG_PROVENANCE: true