npm · wraithgar · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
@@ -208,6 +208,9 @@
 !/socks-proxy-agent
 !/socks
 !/spdx-correct
+!/spdx-correct/node_modules/
+/spdx-correct/node_modules/*
+!/spdx-correct/node_modules/spdx-expression-parse
 !/spdx-exceptions
 !/spdx-expression-parse
 !/spdx-license-ids
@@ -233,6 +236,9 @@
 !/unique-slug
 !/util-deprecate
 !/validate-npm-package-license
+!/validate-npm-package-license/node_modules/
+/validate-npm-package-license/node_modules/*
+!/validate-npm-package-license/node_modules/spdx-expression-parse
 !/validate-npm-package-name
 !/walk-up-path
 !/wcwidth

@@ -65,7 +65,10 @@ module.exports = class Agent extends AgentBase {
       ProxyAgent = this.isSecureEndpoint(options) ? ProxyAgent[1] : ProxyAgent[0]
     }
 
-    const proxyAgent = new ProxyAgent(proxy, this.#options)
+    const proxyAgent = new ProxyAgent(proxy, {
+      ...this.#options,
+      socketOptions: { family: this.#options.family },
+    })
     proxyCache.set(cacheKey, proxyAgent)
 
     return proxyAgent

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/agent",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "description": "the http/https agent used by the npm cli",
   "main": "lib/index.js",
   "scripts": {
@@ -36,7 +36,7 @@
     "http-proxy-agent": "^7.0.0",
     "https-proxy-agent": "^7.0.1",
     "lru-cache": "^10.0.1",
-    "socks-proxy-agent": "^8.0.1"
+    "socks-proxy-agent": "^8.0.3"
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",

@@ -1,6 +1,4 @@
 // not an airtight indicator, but a good gut-check to even bother trying
-const { promisify } = require('util')
-const fs = require('fs')
-const stat = promisify(fs.stat)
+const { stat } = require('fs/promises')
 module.exports = ({ cwd = process.cwd() } = {}) =>
   stat(cwd + '/.git').then(() => true, () => false)
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/git",
-  "version": "5.0.4",
+  "version": "5.0.5",
   "main": "lib/index.js",
   "files": [
     "bin/",

@@ -1,11 +1,9 @@
-const semver = require('semver')
+const valid = require('semver/functions/valid')
+const clean = require('semver/functions/clean')
 const fs = require('fs/promises')
 const { glob } = require('glob')
-const legacyFixer = require('normalize-package-data/lib/fixer.js')
-const legacyMakeWarning = require('normalize-package-data/lib/make_warning.js')
 const path = require('path')
 const log = require('proc-log')
-const git = require('@npmcli/git')
 const hostedGitInfo = require('hosted-git-info')
 
 // used to be npm-normalize-package-bin
@@ -130,10 +128,10 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
     if (!data.version) {
       data.version = ''
     } else {
-      if (!semver.valid(data.version, loose)) {
+      if (!valid(data.version, loose)) {
         throw new Error(`Invalid version: "${data.version}"`)
       }
-      const version = semver.clean(data.version, loose)
+      const version = clean(data.version, loose)
       if (version !== data.version) {
         changes?.push(`"version" was cleaned and set to "${version}"`)
         data.version = version
@@ -333,6 +331,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
 
   // populate "gitHead" attribute
   if (steps.includes('gitHead') && !data.gitHead) {
+    const git = require('@npmcli/git')
     const gitRoot = await git.find({ cwd: pkg.path, root })
     let head
     if (gitRoot) {
@@ -518,6 +517,8 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   }
 
   if (steps.includes('normalizeData')) {
+    const legacyFixer = require('normalize-package-data/lib/fixer.js')
+    const legacyMakeWarning = require('normalize-package-data/lib/make_warning.js')
     legacyFixer.warn = function () {
       changes?.push(legacyMakeWarning.apply(null, arguments))
     }

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/package-json",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "Programmatic API to update package.json",
   "main": "lib/index.js",
   "files": [
@@ -10,7 +10,7 @@
   "scripts": {
     "snap": "tap",
     "test": "tap",
-    "lint": "eslint \"**/*.js\"",
+    "lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
     "lintfix": "npm run lint -- --fix",
     "posttest": "npm run lint",
     "postsnap": "npm run lintfix --",
@@ -25,8 +25,8 @@
   "license": "ISC",
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.18.0",
-    "read-package-json": "^6.0.4",
+    "@npmcli/template-oss": "4.21.3",
+    "read-package-json": "^7.0.0",
     "read-package-json-fast": "^3.0.2",
     "tap": "^16.0.1"
   },
@@ -48,14 +48,8 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.18.0",
-    "publish": "true",
-    "ciVersions": [
-      "16.14.0",
-      "16.x",
-      "18.0.0",
-      "18.x"
-    ]
+    "version": "4.21.3",
+    "publish": "true"
   },
   "tap": {
     "nyc-arg": [

@@ -21,7 +21,9 @@ const bundle_1 = require("./bundle");
 // Message signature bundle - $case: 'messageSignature'
 function toMessageSignatureBundle(options) {
     return {
-        mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.singleCertificate
+            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
+            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
         content: {
             $case: 'messageSignature',
             messageSignature: {
@@ -39,7 +41,9 @@ exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
 function toDSSEBundle(options) {
     return {
-        mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE,
+        mediaType: options.singleCertificate
+            ? bundle_1.BUNDLE_V03_MEDIA_TYPE
+            : bundle_1.BUNDLE_V02_MEDIA_TYPE,
         content: {
             $case: 'dsseEnvelope',
             dsseEnvelope: toEnvelope(options),
@@ -71,12 +75,20 @@ function toVerificationMaterial(options) {
 }
 function toKeyContent(options) {
     if (options.certificate) {
-        return {
-            $case: 'x509CertificateChain',
-            x509CertificateChain: {
-                certificates: [{ rawBytes: options.certificate }],
-            },
-        };
+        if (options.singleCertificate) {
+            return {
+                $case: 'certificate',
+                certificate: { rawBytes: options.certificate },
+            };
+        }
+        else {
+            return {
+                $case: 'x509CertificateChain',
+                x509CertificateChain: {
+                    certificates: [{ rawBytes: options.certificate }],
+                },
+            };
+        }
     }
     else {
         return {

@@ -1,9 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
 exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
 exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
-exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
+exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
+exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle.v0.3+json';
 // Type guards for bundle variants.
 function isBundleWithCertificateChain(b) {
     return b.verificationMaterial.content.$case === 'x509CertificateChain';

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
+exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V03_LEGACY_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -22,6 +22,7 @@ Object.defineProperty(exports, "toMessageSignatureBundle", { enumerable: true, g
 var bundle_1 = require("./bundle");
 Object.defineProperty(exports, "BUNDLE_V01_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V01_MEDIA_TYPE; } });
 Object.defineProperty(exports, "BUNDLE_V02_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V02_MEDIA_TYPE; } });
+Object.defineProperty(exports, "BUNDLE_V03_LEGACY_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_LEGACY_MEDIA_TYPE; } });
 Object.defineProperty(exports, "BUNDLE_V03_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_MEDIA_TYPE; } });
 Object.defineProperty(exports, "isBundleWithCertificateChain", { enumerable: true, get: function () { return bundle_1.isBundleWithCertificateChain; } });
 Object.defineProperty(exports, "isBundleWithDsseEnvelope", { enumerable: true, get: function () { return bundle_1.isBundleWithDsseEnvelope; } });

@@ -74,7 +74,8 @@ function validateBundleBase(b) {
     const invalidValues = [];
     // Media type validation
     if (b.mediaType === undefined ||
-        !b.mediaType.startsWith('application/vnd.dev.sigstore.bundle+json;version=')) {
+        (!b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\+json;version=\d\.\d/) &&
+            !b.mediaType.match(/^application\/vnd\.dev\.sigstore\.bundle\.v\d\.\d\+json/))) {
         invalidValues.push('mediaType');
     }
     // Content-related validation

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/bundle",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "Sigstore bundle type",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,7 +27,7 @@
     "provenance": true
   },
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.3.0"
+    "@sigstore/protobuf-specs": "^0.3.1"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"

@@ -21,12 +21,12 @@ limitations under the License.
 */
 const crypto_1 = __importDefault(require("crypto"));
 const SHA256_ALGORITHM = 'sha256';
-function createPublicKey(key) {
+function createPublicKey(key, type = 'spki') {
     if (typeof key === 'string') {
         return crypto_1.default.createPublicKey(key);
     }
     else {
-        return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' });
+        return crypto_1.default.createPublicKey({ key, format: 'der', type: type });
     }
 }
 exports.createPublicKey = createPublicKey;

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/core",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Base library for Sigstore",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
+exports.ClientTrustConfig = exports.SigningConfig = exports.TrustedRoot = exports.CertificateAuthority = exports.TransparencyLogInstance = void 0;
 /* eslint-disable */
 const sigstore_common_1 = require("./sigstore_common");
 function createBaseTransparencyLogInstance() {
@@ -98,6 +98,58 @@ exports.TrustedRoot = {
         return obj;
     },
 };
+function createBaseSigningConfig() {
+    return { caUrl: "", oidcUrl: "", tlogUrls: [], tsaUrls: [] };
+}
+exports.SigningConfig = {
+    fromJSON(object) {
+        return {
+            caUrl: isSet(object.caUrl) ? String(object.caUrl) : "",
+            oidcUrl: isSet(object.oidcUrl) ? String(object.oidcUrl) : "",
+            tlogUrls: Array.isArray(object?.tlogUrls) ? object.tlogUrls.map((e) => String(e)) : [],
+            tsaUrls: Array.isArray(object?.tsaUrls) ? object.tsaUrls.map((e) => String(e)) : [],
+        };
+    },
+    toJSON(message) {
+        const obj = {};
+        message.caUrl !== undefined && (obj.caUrl = message.caUrl);
+        message.oidcUrl !== undefined && (obj.oidcUrl = message.oidcUrl);
+        if (message.tlogUrls) {
+            obj.tlogUrls = message.tlogUrls.map((e) => e);
+        }
+        else {
+            obj.tlogUrls = [];
+        }
+        if (message.tsaUrls) {
+            obj.tsaUrls = message.tsaUrls.map((e) => e);
+        }
+        else {
+            obj.tsaUrls = [];
+        }
+        return obj;
+    },
+};
+function createBaseClientTrustConfig() {
+    return { mediaType: "", trustedRoot: undefined, signingConfig: undefined };
+}
+exports.ClientTrustConfig = {
+    fromJSON(object) {
+        return {
+            mediaType: isSet(object.mediaType) ? String(object.mediaType) : "",
+            trustedRoot: isSet(object.trustedRoot) ? exports.TrustedRoot.fromJSON(object.trustedRoot) : undefined,
+            signingConfig: isSet(object.signingConfig) ? exports.SigningConfig.fromJSON(object.signingConfig) : undefined,
+        };
+    },
+    toJSON(message) {
+        const obj = {};
+        message.mediaType !== undefined && (obj.mediaType = message.mediaType);
+        message.trustedRoot !== undefined &&
+            (obj.trustedRoot = message.trustedRoot ? exports.TrustedRoot.toJSON(message.trustedRoot) : undefined);
+        message.signingConfig !== undefined &&
+            (obj.signingConfig = message.signingConfig ? exports.SigningConfig.toJSON(message.signingConfig) : undefined);
+        return obj;
+    },
+};
 function isSet(value) {
     return value !== null && value !== undefined;
 }
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/protobuf-specs",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -21,11 +21,11 @@
   },
   "homepage": "https://github.com/sigstore/protobuf-specs#readme",
   "devDependencies": {
-    "@tsconfig/node14": "^1.0.3",
+    "@tsconfig/node16": "^16.1.1",
     "@types/node": "^18.14.0",
     "typescript": "^4.9.5"
   },
   "engines": {
-    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+    "node": "^16.14.0 || >=18.0.0"
   }
 }
@@ -56,7 +56,7 @@ function toMessageSignatureBundle(artifact, signature) {
 }
 exports.toMessageSignatureBundle = toMessageSignatureBundle;
 // DSSE envelope bundle - $case: 'dsseEnvelope'
-function toDSSEBundle(artifact, signature) {
+function toDSSEBundle(artifact, signature, singleCertificate) {
     return sigstore.toDSSEBundle({
         artifact: artifact.data,
         artifactType: artifact.type,
@@ -65,6 +65,7 @@ function toDSSEBundle(artifact, signature) {
             ? util_1.pem.toDER(signature.key.certificate)
             : undefined,
         keyHint: signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
+        singleCertificate,
     });
 }
 exports.toDSSEBundle = toDSSEBundle;