Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: bump sigstore from 2.2.0 to 3.0.0 #7833

Merged
merged 4 commits into from
Oct 15, 2024
Merged

Conversation

bdehamer
Copy link
Contributor

Bumps the following dependencies:

  • @sigstore/tuf from 2.3.4 to 3.0.0
  • sigstore from 2.2.0 to 3.0.0

@bdehamer bdehamer requested a review from a team as a code owner October 14, 2024 17:27
bdehamer and others added 2 commits October 15, 2024 08:53
BREAKING CHANGE: Attestations made by this package will no longer validate in npm versions prior to 10.6.0

Signed-off-by: Brian DeHamer <[email protected]>
@wraithgar wraithgar force-pushed the bdehamer/sigstore-3-0-0 branch from 90ab6e2 to df2a6e0 Compare October 15, 2024 15:55
@wraithgar wraithgar force-pushed the bdehamer/sigstore-3-0-0 branch from df2a6e0 to cfaddff Compare October 15, 2024 16:55
@reggi
Copy link
Contributor

reggi commented Oct 15, 2024

This only updates the pacote dep in one place and not for all package.json that have it as a dep. Do we want to update those as well?

@wraithgar
Copy link
Member

wraithgar commented Oct 15, 2024

pacote was already updated, this fixes the duping (for pacote at least) that started w/ the last npm 10 release.

Once this lands, the only outdated pacote in the tree will be a dev dep under template-oss

~/D/n/c/b/main (bdehamer/sigstore-3-0-0|✔) $ npm ls pacote --omit=dev
[email protected] /Users/wraithgar/Development/npm/cli/branches/main
├─┬ @npmcli/[email protected] -> ./workspaces/arborist
│ ├─┬ @npmcli/[email protected]
│ │ └── [email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected] -> ./workspaces/libnpmdiff
│ └── [email protected] deduped
├─┬ [email protected] -> ./workspaces/libnpmexec
│ └── [email protected] deduped
├─┬ [email protected] -> ./workspaces/libnpmpack
│ └── [email protected] deduped
└── [email protected]

@wraithgar
Copy link
Member

We also only keep the pacote ref in the cli itself up to date because that version is effectively "pinned" due to the bundled dependencies. The other packages don't need a new version every time we update pacote.

@wraithgar wraithgar merged commit f75da94 into latest Oct 15, 2024
45 checks passed
@wraithgar wraithgar deleted the bdehamer/sigstore-3-0-0 branch October 15, 2024 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants