deps: bump sigstore from 2.2.0 to 3.0.0

DEPENDENCIES.json

@@ -26,8 +26,8 @@
     "libnpmversion"
   ],
   [
-    "@npmcli/run-script",
     "@npmcli/map-workspaces",
+    "@npmcli/run-script",
     "libnpmhook",
     "libnpmorg",
     "libnpmsearch",
@@ -44,47 +44,47 @@
     "make-fetch-happen"
   ],
   [
-    "npm-pick-manifest",
     "@npmcli/installed-package-contents",
+    "npm-pick-manifest",
     "cacache",
     "promzard"
   ],
   [
     "@npmcli/docs",
-    "npm-package-arg",
-    "npm-install-checks",
+    "@npmcli/fs",
     "npm-bundled",
+    "npm-install-checks",
+    "npm-package-arg",
     "normalize-package-data",
-    "@npmcli/fs",
     "unique-filename",
     "npm-packlist",
-    "@npmcli/mock-globals",
     "bin-links",
     "nopt",
     "parse-conflict-json",
     "read-package-json-fast",
+    "@npmcli/mock-globals",
     "read"
   ],
   [
     "@npmcli/eslint-config",
     "@npmcli/template-oss",
     "ignore-walk",
     "semver",
+    "npm-normalize-package-bin",
+    "@npmcli/name-from-folder",
+    "@npmcli/promise-spawn",
+    "ini",
     "hosted-git-info",
     "proc-log",
     "validate-npm-package-name",
-    "@npmcli/promise-spawn",
-    "ini",
-    "npm-normalize-package-bin",
     "json-parse-even-better-errors",
-    "@npmcli/node-gyp",
     "fs-minipass",
     "ssri",
     "unique-slug",
+    "@npmcli/node-gyp",
     "@npmcli/redact",
     "@npmcli/agent",
     "minipass-fetch",
-    "@npmcli/name-from-folder",
     "@npmcli/query",
     "cmd-shim",
     "read-cmd-shim",

DEPENDENCIES.md

@@ -321,6 +321,7 @@ graph LR;
   isaacs-cliui-->strip-ansi;
   isaacs-cliui-->wrap-ansi-cjs;
   isaacs-cliui-->wrap-ansi;
+  isaacs-fs-minipass-->minipass;
   jackspeak-->isaacs-cliui["@isaacs/cliui"];
   jackspeak-->pkgjs-parseargs["@pkgjs/parseargs"];
   libnpmaccess-->nock;
@@ -766,6 +767,7 @@ graph LR;
   strip-ansi-->ansi-regex;
   tar-->chownr;
   tar-->fs-minipass;
+  tar-->isaacs-fs-minipass["@isaacs/fs-minipass"];
   tar-->minipass;
   tar-->minizlib;
   tar-->mkdirp;
@@ -799,9 +801,9 @@ packages higher up the chain.
  - @npmcli/arborist
  - @npmcli/metavuln-calculator
  - pacote, @npmcli/config, libnpmversion
- - @npmcli/run-script, @npmcli/map-workspaces, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, init-package-json, npm-profile
+ - @npmcli/map-workspaces, @npmcli/run-script, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, init-package-json, npm-profile
  - @npmcli/package-json, npm-registry-fetch
  - @npmcli/git, make-fetch-happen
- - npm-pick-manifest, @npmcli/installed-package-contents, cacache, promzard
- - @npmcli/docs, npm-package-arg, npm-install-checks, npm-bundled, normalize-package-data, @npmcli/fs, unique-filename, npm-packlist, @npmcli/mock-globals, bin-links, nopt, parse-conflict-json, read-package-json-fast, read
- - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/promise-spawn, ini, npm-normalize-package-bin, json-parse-even-better-errors, @npmcli/node-gyp, fs-minipass, ssri, unique-slug, @npmcli/redact, @npmcli/agent, minipass-fetch, @npmcli/name-from-folder, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, proggy, minify-registry-metadata, mute-stream, npm-audit-report, npm-user-validate
+ - @npmcli/installed-package-contents, npm-pick-manifest, cacache, promzard
+ - @npmcli/docs, @npmcli/fs, npm-bundled, npm-install-checks, npm-package-arg, normalize-package-data, unique-filename, npm-packlist, bin-links, nopt, parse-conflict-json, read-package-json-fast, @npmcli/mock-globals, read
+ - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, npm-normalize-package-bin, @npmcli/name-from-folder, @npmcli/promise-spawn, ini, hosted-git-info, proc-log, validate-npm-package-name, json-parse-even-better-errors, fs-minipass, ssri, unique-slug, @npmcli/node-gyp, @npmcli/redact, @npmcli/agent, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, proggy, minify-registry-metadata, mute-stream, npm-audit-report, npm-user-validate

mock-registry/package.json

@@ -46,7 +46,7 @@
     ]
   },
   "devDependencies": {
-    "@npmcli/arborist": "^7.1.0",
+    "@npmcli/arborist": "^8.0.0",
     "@npmcli/eslint-config": "^5.0.1",
     "@npmcli/template-oss": "4.23.3",
     "json-stringify-safe": "^5.0.1",

node_modules/.gitignore

@@ -38,19 +38,6 @@
 !/@sigstore/core
 !/@sigstore/protobuf-specs
 !/@sigstore/sign
-!/@sigstore/sign/node_modules/
-/@sigstore/sign/node_modules/*
-!/@sigstore/sign/node_modules/@npmcli/
-/@sigstore/sign/node_modules/@npmcli/*
-!/@sigstore/sign/node_modules/@npmcli/agent
-!/@sigstore/sign/node_modules/@npmcli/fs
-!/@sigstore/sign/node_modules/cacache
-!/@sigstore/sign/node_modules/make-fetch-happen
-!/@sigstore/sign/node_modules/minipass-fetch
-!/@sigstore/sign/node_modules/proc-log
-!/@sigstore/sign/node_modules/ssri
-!/@sigstore/sign/node_modules/unique-filename
-!/@sigstore/sign/node_modules/unique-slug
 !/@sigstore/tuf
 !/@sigstore/verify
 !/@tufjs/
@@ -251,19 +238,6 @@
 !/tiny-relative-date
 !/treeverse
 !/tuf-js
-!/tuf-js/node_modules/
-/tuf-js/node_modules/*
-!/tuf-js/node_modules/@npmcli/
-/tuf-js/node_modules/@npmcli/*
-!/tuf-js/node_modules/@npmcli/agent
-!/tuf-js/node_modules/@npmcli/fs
-!/tuf-js/node_modules/cacache
-!/tuf-js/node_modules/make-fetch-happen
-!/tuf-js/node_modules/minipass-fetch
-!/tuf-js/node_modules/proc-log
-!/tuf-js/node_modules/ssri
-!/tuf-js/node_modules/unique-filename
-!/tuf-js/node_modules/unique-slug
 !/unique-filename
 !/unique-slug
 !/util-deprecate

node_modules/@sigstore/bundle/dist/build.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.toDSSEBundle = exports.toMessageSignatureBundle = void 0;
+exports.toMessageSignatureBundle = toMessageSignatureBundle;
+exports.toDSSEBundle = toDSSEBundle;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -21,9 +22,9 @@ const bundle_1 = require("./bundle");
 // Message signature bundle - $case: 'messageSignature'
 function toMessageSignatureBundle(options) {
     return {
-        mediaType: options.singleCertificate
-            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
-            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.certificateChain
+            ? bundle_1.BUNDLE_V02_MEDIA_TYPE
+            : bundle_1.BUNDLE_V03_MEDIA_TYPE,
         content: {
             $case: 'messageSignature',
             messageSignature: {
@@ -37,21 +38,19 @@ function toMessageSignatureBundle(options) {
         verificationMaterial: toVerificationMaterial(options),
     };
 }
-exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
 function toDSSEBundle(options) {
     return {
-        mediaType: options.singleCertificate
-            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
-            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.certificateChain
+            ? bundle_1.BUNDLE_V02_MEDIA_TYPE
+            : bundle_1.BUNDLE_V03_MEDIA_TYPE,
         content: {
             $case: 'dsseEnvelope',
             dsseEnvelope: toEnvelope(options),
         },
         verificationMaterial: toVerificationMaterial(options),
     };
 }
-exports.toDSSEBundle = toDSSEBundle;
 function toEnvelope(options) {
     return {
         payloadType: options.artifactType,
@@ -75,20 +74,20 @@ function toVerificationMaterial(options) {
 }
 function toKeyContent(options) {
     if (options.certificate) {
-        if (options.singleCertificate) {
-            return {
-                $case: 'certificate',
-                certificate: { rawBytes: options.certificate },
-            };
-        }
-        else {
+        if (options.certificateChain) {
             return {
                 $case: 'x509CertificateChain',
                 x509CertificateChain: {
                     certificates: [{ rawBytes: options.certificate }],
                 },
             };
         }
+        else {
+            return {
+                $case: 'certificate',
+                certificate: { rawBytes: options.certificate },
+            };
+        }
     }
     else {
         return {

node_modules/@sigstore/bundle/dist/bundle.js

@@ -1,6 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.isBundleWithCertificateChain = isBundleWithCertificateChain;
+exports.isBundleWithPublicKey = isBundleWithPublicKey;
+exports.isBundleWithMessageSignature = isBundleWithMessageSignature;
+exports.isBundleWithDsseEnvelope = isBundleWithDsseEnvelope;
 exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
 exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
 exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
@@ -9,16 +13,12 @@ exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json';
 function isBundleWithCertificateChain(b) {
     return b.verificationMaterial.content.$case === 'x509CertificateChain';
 }
-exports.isBundleWithCertificateChain = isBundleWithCertificateChain;
 function isBundleWithPublicKey(b) {
     return b.verificationMaterial.content.$case === 'publicKey';
 }
-exports.isBundleWithPublicKey = isBundleWithPublicKey;
 function isBundleWithMessageSignature(b) {
     return b.content.$case === 'messageSignature';
 }
-exports.isBundleWithMessageSignature = isBundleWithMessageSignature;
 function isBundleWithDsseEnvelope(b) {
     return b.content.$case === 'dsseEnvelope';
 }
-exports.isBundleWithDsseEnvelope = isBundleWithDsseEnvelope;

node_modules/@sigstore/bundle/dist/validate.js

@@ -1,6 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assertBundleLatest = exports.assertBundleV02 = exports.isBundleV01 = exports.assertBundleV01 = exports.assertBundle = void 0;
+exports.assertBundle = assertBundle;
+exports.assertBundleV01 = assertBundleV01;
+exports.isBundleV01 = isBundleV01;
+exports.assertBundleV02 = assertBundleV02;
+exports.assertBundleLatest = assertBundleLatest;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -27,7 +31,6 @@ function assertBundle(b) {
         throw new error_1.ValidationError('invalid bundle', invalidValues);
     }
 }
-exports.assertBundle = assertBundle;
 // Asserts that the given bundle conforms to the v0.1 bundle format.
 function assertBundleV01(b) {
     const invalidValues = [];
@@ -37,7 +40,6 @@ function assertBundleV01(b) {
         throw new error_1.ValidationError('invalid v0.1 bundle', invalidValues);
     }
 }
-exports.assertBundleV01 = assertBundleV01;
 // Type guard to determine if Bundle is a v0.1 bundle.
 function isBundleV01(b) {
     try {
@@ -48,7 +50,6 @@ function isBundleV01(b) {
         return false;
     }
 }
-exports.isBundleV01 = isBundleV01;
 // Asserts that the given bundle conforms to the v0.2 bundle format.
 function assertBundleV02(b) {
     const invalidValues = [];
@@ -58,7 +59,6 @@ function assertBundleV02(b) {
         throw new error_1.ValidationError('invalid v0.2 bundle', invalidValues);
     }
 }
-exports.assertBundleV02 = assertBundleV02;
 // Asserts that the given bundle conforms to the newest (0.3) bundle format.
 function assertBundleLatest(b) {
     const invalidValues = [];
@@ -69,7 +69,6 @@ function assertBundleLatest(b) {
         throw new error_1.ValidationError('invalid bundle', invalidValues);
     }
 }
-exports.assertBundleLatest = assertBundleLatest;
 function validateBundleBase(b) {
     const invalidValues = [];
     // Media type validation
@@ -192,6 +191,7 @@ function validateInclusionProof(b) {
 // Necessary for V03 and later bundles
 function validateNoCertificateChain(b) {
     const invalidValues = [];
+    /* istanbul ignore next */
     if (b.verificationMaterial?.content?.$case === 'x509CertificateChain') {
         invalidValues.push('verificationMaterial.content.$case');
     }

node_modules/@sigstore/bundle/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/bundle",
-  "version": "2.3.2",
+  "version": "3.0.0",
   "description": "Sigstore bundle type",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -30,6 +30,6 @@
     "@sigstore/protobuf-specs": "^0.3.2"
   },
   "engines": {
-    "node": "^16.14.0 || >=18.0.0"
+    "node": "^18.17.0 || >=20.5.0"
   }
 }

node_modules/@sigstore/core/dist/asn1/length.js

@@ -15,7 +15,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.encodeLength = exports.decodeLength = void 0;
+exports.decodeLength = decodeLength;
+exports.encodeLength = encodeLength;
 const error_1 = require("./error");
 // Decodes the length of a DER-encoded ANS.1 element from the supplied stream.
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-length-and-value-bytes
@@ -44,7 +45,6 @@ function decodeLength(stream) {
     }
     return len;
 }
-exports.decodeLength = decodeLength;
 // Translates the supplied value to a DER-encoded length.
 function encodeLength(len) {
     if (len < 128) {
@@ -60,4 +60,3 @@ function encodeLength(len) {
     }
     return Buffer.from([0x80 | bytes.length, ...bytes]);
 }
-exports.encodeLength = encodeLength;