-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: bump sigstore from 2.2.0 to 3.0.0 #7833
Conversation
BREAKING CHANGE: Attestations made by this package will no longer validate in npm versions prior to 10.6.0 Signed-off-by: Brian DeHamer <[email protected]>
90ab6e2
to
df2a6e0
Compare
df2a6e0
to
cfaddff
Compare
This only updates the pacote dep in one place and not for all package.json that have it as a dep. Do we want to update those as well? |
pacote was already updated, this fixes the duping (for pacote at least) that started w/ the last npm 10 release. Once this lands, the only outdated pacote in the tree will be a dev dep under template-oss
|
Signed-off-by: Brian DeHamer <[email protected]>
We also only keep the pacote ref in the cli itself up to date because that version is effectively "pinned" due to the bundled dependencies. The other packages don't need a new version every time we update pacote. |
Bumps the following dependencies:
@sigstore/tuf
from2.3.4
to3.0.0
sigstore
from2.2.0
to3.0.0