merge latest

DEPENDENCIES.json

@@ -26,8 +26,8 @@
  "libnpmversion"
  ],
  [
- "@npmcli/run-script",
  "@npmcli/map-workspaces",
+ "@npmcli/run-script",
  "libnpmhook",
  "libnpmorg",
  "libnpmsearch",
@@ -44,47 +44,47 @@
  "make-fetch-happen"
  ],
  [
- "npm-pick-manifest",
  "@npmcli/installed-package-contents",
+ "npm-pick-manifest",
  "cacache",
  "promzard"
  ],
  [
  "@npmcli/docs",
- "npm-package-arg",
- "npm-install-checks",
+ "@npmcli/fs",
  "npm-bundled",
+ "npm-install-checks",
+ "npm-package-arg",
  "normalize-package-data",
- "@npmcli/fs",
  "unique-filename",
  "npm-packlist",
- "@npmcli/mock-globals",
  "bin-links",
  "nopt",
  "parse-conflict-json",
  "read-package-json-fast",
+ "@npmcli/mock-globals",
  "read"
  ],
  [
  "@npmcli/eslint-config",
  "@npmcli/template-oss",
  "ignore-walk",
  "semver",
+ "npm-normalize-package-bin",
+ "@npmcli/name-from-folder",
+ "@npmcli/promise-spawn",
+ "ini",
  "hosted-git-info",
  "proc-log",
  "validate-npm-package-name",
- "@npmcli/promise-spawn",
- "ini",
- "npm-normalize-package-bin",
  "json-parse-even-better-errors",
- "@npmcli/node-gyp",
  "fs-minipass",
  "ssri",
  "unique-slug",
+ "@npmcli/node-gyp",
  "@npmcli/redact",
  "@npmcli/agent",
  "minipass-fetch",
- "@npmcli/name-from-folder",
  "@npmcli/query",
  "cmd-shim",
  "read-cmd-shim",

DEPENDENCIES.md

@@ -321,6 +321,7 @@ graph LR;
  isaacs-cliui-->strip-ansi;
  isaacs-cliui-->wrap-ansi-cjs;
  isaacs-cliui-->wrap-ansi;
+ isaacs-fs-minipass-->minipass;
  jackspeak-->isaacs-cliui["@isaacs/cliui"];
  jackspeak-->pkgjs-parseargs["@pkgjs/parseargs"];
  libnpmaccess-->nock;
@@ -766,6 +767,7 @@ graph LR;
  strip-ansi-->ansi-regex;
  tar-->chownr;
  tar-->fs-minipass;
+ tar-->isaacs-fs-minipass["@isaacs/fs-minipass"];
  tar-->minipass;
  tar-->minizlib;
  tar-->mkdirp;
@@ -799,9 +801,9 @@ packages higher up the chain.
  - @npmcli/arborist
  - @npmcli/metavuln-calculator
  - pacote, @npmcli/config, libnpmversion
- - @npmcli/run-script, @npmcli/map-workspaces, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, init-package-json, npm-profile
+ - @npmcli/map-workspaces, @npmcli/run-script, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, init-package-json, npm-profile
  - @npmcli/package-json, npm-registry-fetch
  - @npmcli/git, make-fetch-happen
- - npm-pick-manifest, @npmcli/installed-package-contents, cacache, promzard
- - @npmcli/docs, npm-package-arg, npm-install-checks, npm-bundled, normalize-package-data, @npmcli/fs, unique-filename, npm-packlist, @npmcli/mock-globals, bin-links, nopt, parse-conflict-json, read-package-json-fast, read
- - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/promise-spawn, ini, npm-normalize-package-bin, json-parse-even-better-errors, @npmcli/node-gyp, fs-minipass, ssri, unique-slug, @npmcli/redact, @npmcli/agent, minipass-fetch, @npmcli/name-from-folder, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, proggy, minify-registry-metadata, mute-stream, npm-audit-report, npm-user-validate
+ - @npmcli/installed-package-contents, npm-pick-manifest, cacache, promzard
+ - @npmcli/docs, @npmcli/fs, npm-bundled, npm-install-checks, npm-package-arg, normalize-package-data, unique-filename, npm-packlist, bin-links, nopt, parse-conflict-json, read-package-json-fast, @npmcli/mock-globals, read
+ - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, npm-normalize-package-bin, @npmcli/name-from-folder, @npmcli/promise-spawn, ini, hosted-git-info, proc-log, validate-npm-package-name, json-parse-even-better-errors, fs-minipass, ssri, unique-slug, @npmcli/node-gyp, @npmcli/redact, @npmcli/agent, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, proggy, minify-registry-metadata, mute-stream, npm-audit-report, npm-user-validate

mock-registry/package.json

@@ -46,7 +46,7 @@
  ]
  },
  "devDependencies": {
- "@npmcli/arborist": "^7.1.0",
+ "@npmcli/arborist": "^8.0.0",
  "@npmcli/eslint-config": "^5.0.1",
  "@npmcli/template-oss": "4.23.3",
  "json-stringify-safe": "^5.0.1",

node_modules/.gitignore

@@ -38,19 +38,6 @@
 !/@sigstore/core
 !/@sigstore/protobuf-specs
 !/@sigstore/sign
-!/@sigstore/sign/node_modules/
-/@sigstore/sign/node_modules/*
-!/@sigstore/sign/node_modules/@npmcli/
-/@sigstore/sign/node_modules/@npmcli/*
-!/@sigstore/sign/node_modules/@npmcli/agent
-!/@sigstore/sign/node_modules/@npmcli/fs
-!/@sigstore/sign/node_modules/cacache
-!/@sigstore/sign/node_modules/make-fetch-happen
-!/@sigstore/sign/node_modules/minipass-fetch
-!/@sigstore/sign/node_modules/proc-log
-!/@sigstore/sign/node_modules/ssri
-!/@sigstore/sign/node_modules/unique-filename
-!/@sigstore/sign/node_modules/unique-slug
 !/@sigstore/tuf
 !/@sigstore/verify
 !/@tufjs/
@@ -268,11 +255,6 @@
 !/tiny-relative-date
 !/treeverse
 !/tuf-js
-!/tuf-js/node_modules/
-/tuf-js/node_modules/*
-!/tuf-js/node_modules/@tufjs/
-/tuf-js/node_modules/@tufjs/*
-!/tuf-js/node_modules/@tufjs/models
 !/unique-filename
 !/unique-slug
 !/util-deprecate

node_modules/@sigstore/bundle/dist/build.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.toDSSEBundle = exports.toMessageSignatureBundle = void 0;
+exports.toMessageSignatureBundle = toMessageSignatureBundle;
+exports.toDSSEBundle = toDSSEBundle;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -21,9 +22,9 @@ const bundle_1 = require("./bundle");
 // Message signature bundle - $case: 'messageSignature'
 function toMessageSignatureBundle(options) {
  return {
- mediaType: options.singleCertificate
- ? bundle_1.BUNDLE_V03_MEDIA_TYPE
- : bundle_1.BUNDLE_V02_MEDIA_TYPE,
+ mediaType: options.certificateChain
+ ? bundle_1.BUNDLE_V02_MEDIA_TYPE
+ : bundle_1.BUNDLE_V03_MEDIA_TYPE,
  content: {
  $case: 'messageSignature',
  messageSignature: {
@@ -37,21 +38,19 @@ function toMessageSignatureBundle(options) {
  verificationMaterial: toVerificationMaterial(options),
  };
 }
-exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
 function toDSSEBundle(options) {
  return {
- mediaType: options.singleCertificate
- ? bundle_1.BUNDLE_V03_MEDIA_TYPE
- : bundle_1.BUNDLE_V02_MEDIA_TYPE,
+ mediaType: options.certificateChain
+ ? bundle_1.BUNDLE_V02_MEDIA_TYPE
+ : bundle_1.BUNDLE_V03_MEDIA_TYPE,
  content: {
  $case: 'dsseEnvelope',
  dsseEnvelope: toEnvelope(options),
  },
  verificationMaterial: toVerificationMaterial(options),
  };
 }
-exports.toDSSEBundle = toDSSEBundle;
 function toEnvelope(options) {
  return {
  payloadType: options.artifactType,
@@ -75,20 +74,20 @@ function toVerificationMaterial(options) {
 }
 function toKeyContent(options) {
  if (options.certificate) {
- if (options.singleCertificate) {
- return {
- $case: 'certificate',
- certificate: { rawBytes: options.certificate },
- };
- }
- else {
+ if (options.certificateChain) {
  return {
  $case: 'x509CertificateChain',
  x509CertificateChain: {
  certificates: [{ rawBytes: options.certificate }],
  },
  };
  }
+ else {
+ return {
+ $case: 'certificate',
+ certificate: { rawBytes: options.certificate },
+ };
+ }
  }
  else {
  return {

node_modules/@sigstore/bundle/dist/bundle.js

@@ -1,6 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.isBundleWithCertificateChain = isBundleWithCertificateChain;
+exports.isBundleWithPublicKey = isBundleWithPublicKey;
+exports.isBundleWithMessageSignature = isBundleWithMessageSignature;
+exports.isBundleWithDsseEnvelope = isBundleWithDsseEnvelope;
 exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
 exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
 exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
@@ -9,16 +13,12 @@ exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json';
 function isBundleWithCertificateChain(b) {
  return b.verificationMaterial.content.$case === 'x509CertificateChain';
 }
-exports.isBundleWithCertificateChain = isBundleWithCertificateChain;
 function isBundleWithPublicKey(b) {
  return b.verificationMaterial.content.$case === 'publicKey';
 }
-exports.isBundleWithPublicKey = isBundleWithPublicKey;
 function isBundleWithMessageSignature(b) {
  return b.content.$case === 'messageSignature';
 }
-exports.isBundleWithMessageSignature = isBundleWithMessageSignature;
 function isBundleWithDsseEnvelope(b) {
  return b.content.$case === 'dsseEnvelope';
 }
-exports.isBundleWithDsseEnvelope = isBundleWithDsseEnvelope;

node_modules/@sigstore/bundle/dist/validate.js

@@ -1,6 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assertBundleLatest = exports.assertBundleV02 = exports.isBundleV01 = exports.assertBundleV01 = exports.assertBundle = void 0;
+exports.assertBundle = assertBundle;
+exports.assertBundleV01 = assertBundleV01;
+exports.isBundleV01 = isBundleV01;
+exports.assertBundleV02 = assertBundleV02;
+exports.assertBundleLatest = assertBundleLatest;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -27,7 +31,6 @@ function assertBundle(b) {
  throw new error_1.ValidationError('invalid bundle', invalidValues);
  }
 }
-exports.assertBundle = assertBundle;
 // Asserts that the given bundle conforms to the v0.1 bundle format.
 function assertBundleV01(b) {
  const invalidValues = [];
@@ -37,7 +40,6 @@ function assertBundleV01(b) {
  throw new error_1.ValidationError('invalid v0.1 bundle', invalidValues);
  }
 }
-exports.assertBundleV01 = assertBundleV01;
 // Type guard to determine if Bundle is a v0.1 bundle.
 function isBundleV01(b) {
  try {
@@ -48,7 +50,6 @@ function isBundleV01(b) {
  return false;
  }
 }
-exports.isBundleV01 = isBundleV01;
 // Asserts that the given bundle conforms to the v0.2 bundle format.
 function assertBundleV02(b) {
  const invalidValues = [];
@@ -58,7 +59,6 @@ function assertBundleV02(b) {
  throw new error_1.ValidationError('invalid v0.2 bundle', invalidValues);
  }
 }
-exports.assertBundleV02 = assertBundleV02;
 // Asserts that the given bundle conforms to the newest (0.3) bundle format.
 function assertBundleLatest(b) {
  const invalidValues = [];
@@ -69,7 +69,6 @@ function assertBundleLatest(b) {
  throw new error_1.ValidationError('invalid bundle', invalidValues);
  }
 }
-exports.assertBundleLatest = assertBundleLatest;
 function validateBundleBase(b) {
  const invalidValues = [];
  // Media type validation
@@ -192,6 +191,7 @@ function validateInclusionProof(b) {
 // Necessary for V03 and later bundles
 function validateNoCertificateChain(b) {
  const invalidValues = [];
+ /* istanbul ignore next */
  if (b.verificationMaterial?.content?.$case === 'x509CertificateChain') {
  invalidValues.push('verificationMaterial.content.$case');
  }

node_modules/@sigstore/bundle/package.json

@@ -1,6 +1,6 @@
 {
  "name": "@sigstore/bundle",
- "version": "2.3.2",
+ "version": "3.0.0",
  "description": "Sigstore bundle type",
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
@@ -30,6 +30,6 @@
  "@sigstore/protobuf-specs": "^0.3.2"
  },
  "engines": {
- "node": "^16.14.0 || >=18.0.0"
+ "node": "^18.17.0 || >=20.5.0"
  }
 }

node_modules/@sigstore/core/dist/asn1/length.js

@@ -15,7 +15,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.encodeLength = exports.decodeLength = void 0;
+exports.decodeLength = decodeLength;
+exports.encodeLength = encodeLength;
 const error_1 = require("./error");
 // Decodes the length of a DER-encoded ANS.1 element from the supplied stream.
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-length-and-value-bytes
@@ -44,7 +45,6 @@ function decodeLength(stream) {
  }
  return len;
 }
-exports.decodeLength = decodeLength;
 // Translates the supplied value to a DER-encoded length.
 function encodeLength(len) {
  if (len < 128) {
@@ -60,4 +60,3 @@ function encodeLength(len) {
  }
  return Buffer.from([0x80 | bytes.length, ...bytes]);
 }
-exports.encodeLength = encodeLength;

node_modules/@sigstore/core/dist/asn1/parse.js

@@ -1,6 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseBitString = exports.parseBoolean = exports.parseOID = exports.parseTime = exports.parseStringASCII = exports.parseInteger = void 0;
+exports.parseInteger = parseInteger;
+exports.parseStringASCII = parseStringASCII;
+exports.parseTime = parseTime;
+exports.parseOID = parseOID;
+exports.parseBoolean = parseBoolean;
+exports.parseBitString = parseBitString;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -43,13 +48,11 @@ function parseInteger(buf) {
  }
  return n;
 }
-exports.parseInteger = parseInteger;
 // Parse an ASCII string from the DER-encoded buffer
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-basic-types#boolean
 function parseStringASCII(buf) {
  return buf.toString('ascii');
 }
-exports.parseStringASCII = parseStringASCII;
 // Parse a Date from the DER-encoded buffer
 // https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5.1
 function parseTime(buf, shortYear) {
@@ -70,7 +73,6 @@ function parseTime(buf, shortYear) {
  // Translate to ISO8601 format and parse
  return new Date(`${m[1]}-${m[2]}-${m[3]}T${m[4]}:${m[5]}:${m[6]}Z`);
 }
-exports.parseTime = parseTime;
 // Parse an OID from the DER-encoded buffer
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-object-identifier
 function parseOID(buf) {
@@ -95,13 +97,11 @@ function parseOID(buf) {
  }
  return oid;
 }
-exports.parseOID = parseOID;
 // Parse a boolean from the DER-encoded buffer
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-basic-types#boolean
 function parseBoolean(buf) {
  return buf[0] !== 0;
 }
-exports.parseBoolean = parseBoolean;
 // Parse a bit string from the DER-encoded buffer
 // https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-bit-string
 function parseBitString(buf) {
@@ -122,4 +122,3 @@ function parseBitString(buf) {
  }
  return bits;
 }
-exports.parseBitString = parseBitString;