Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: bump sigstore from 2.2.0 to 3.0.0 #7833

Merged
merged 4 commits into from
Oct 15, 2024
Merged

deps: bump sigstore from 2.2.0 to 3.0.0 #7833

merged 4 commits into from
Oct 15, 2024

Conversation

bdehamer
Copy link
Contributor

Bumps the following dependencies:

  • @sigstore/tuf from 2.3.4 to 3.0.0
  • sigstore from 2.2.0 to 3.0.0

@bdehamer bdehamer requested a review from a team as a code owner October 14, 2024 17:27
bdehamer and others added 2 commits October 15, 2024 08:53
@bdehamer @wraithgar
deps!: bump sigstore from 2.x to 3.0.0
1908012 
BREAKING CHANGE: Attestations made by this package will no longer validate in npm versions prior to 10.6.0

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@wraithgar
deps: pacote@19.0.1
7cb4e80
@reggi
Copy link
Contributor

reggi commented Oct 15, 2024

This only updates the pacote dep in one place and not for all package.json that have it as a dep. Do we want to update those as well?

@wraithgar
Copy link
Member

wraithgar commented Oct 15, 2024
edited
Loading

pacote was already updated, this fixes the duping (for pacote at least) that started w/ the last npm 10 release.

Once this lands, the only outdated pacote in the tree will be a dev dep under template-oss

~/D/n/c/b/main (bdehamer/sigstore-3-0-0|✔) $ npm ls pacote --omit=dev
npm@10.9.0 /Users/wraithgar/Development/npm/cli/branches/main
├─┬ @npmcli/arborist@8.0.0 -> ./workspaces/arborist
│ ├─┬ @npmcli/metavuln-calculator@8.0.0
│ │ └── pacote@19.0.1 deduped
│ └── pacote@19.0.1 deduped
├─┬ libnpmdiff@7.0.0 -> ./workspaces/libnpmdiff
│ └── pacote@19.0.1 deduped
├─┬ libnpmexec@9.0.0 -> ./workspaces/libnpmexec
│ └── pacote@19.0.1 deduped
├─┬ libnpmpack@8.0.0 -> ./workspaces/libnpmpack
│ └── pacote@19.0.1 deduped
└── pacote@19.0.1

@bdehamer
fix: update libnpmpublish tests for sigstore 3.0.0
66fa22b 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@wraithgar
Copy link
Member

We also only keep the pacote ref in the cli itself up to date because that version is effectively "pinned" due to the bundled dependencies. The other packages don't need a new version every time we update pacote.

@wraithgar wraithgar merged commit f75da94 into latest Oct 15, 2024
45 checks passed
@wraithgar wraithgar deleted the bdehamer/sigstore-3-0-0 branch October 15, 2024 20:08
@github-actions github-actions bot mentioned this pull request Oct 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdehamer @reggi @wraithgar