diff --git a/node_modules/@sigstore/bundle/dist/build.js b/node_modules/@sigstore/bundle/dist/build.js index 0ccea62eaba87..6990f5451a2d3 100644 --- a/node_modules/@sigstore/bundle/dist/build.js +++ b/node_modules/@sigstore/bundle/dist/build.js @@ -21,7 +21,7 @@ const bundle_1 = require("./bundle"); // Message signature bundle - $case: 'messageSignature' function toMessageSignatureBundle(options) { return { - mediaType: bundle_1.BUNDLE_V01_MEDIA_TYPE, + mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE, content: { $case: 'messageSignature', messageSignature: { @@ -39,7 +39,7 @@ exports.toMessageSignatureBundle = toMessageSignatureBundle; // DSSE envelope bundle - $case: 'dsseEnvelope' function toDSSEBundle(options) { return { - mediaType: bundle_1.BUNDLE_V01_MEDIA_TYPE, + mediaType: bundle_1.BUNDLE_V02_MEDIA_TYPE, content: { $case: 'dsseEnvelope', dsseEnvelope: toEnvelope(options), diff --git a/node_modules/@sigstore/bundle/package.json b/node_modules/@sigstore/bundle/package.json index 2b15d08060753..7e26efa11a21d 100644 --- a/node_modules/@sigstore/bundle/package.json +++ b/node_modules/@sigstore/bundle/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/bundle", - "version": "2.0.0", + "version": "2.1.0", "description": "Sigstore bundle type", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/node_modules/@sigstore/sign/dist/error.js b/node_modules/@sigstore/sign/dist/error.js index b52ea7eef5d9b..d57e4567fb89e 100644 --- a/node_modules/@sigstore/sign/dist/error.js +++ b/node_modules/@sigstore/sign/dist/error.js @@ -1,6 +1,22 @@ "use strict"; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ Object.defineProperty(exports, "__esModule", { value: true }); -exports.InternalError = void 0; +exports.internalError = exports.InternalError = void 0; +const error_1 = require("./external/error"); class InternalError extends Error { constructor({ code, message, cause, }) { super(message); @@ -10,3 +26,14 @@ class InternalError extends Error { } } exports.InternalError = InternalError; +function internalError(err, code, message) { + if (err instanceof error_1.HTTPError) { + message += ` - ${err.message}`; + } + throw new InternalError({ + code: code, + message: message, + cause: err, + }); +} +exports.internalError = internalError; diff --git a/node_modules/@sigstore/sign/dist/external/error.js b/node_modules/@sigstore/sign/dist/external/error.js index d1e1c3df8a878..0dad92ea69414 100644 --- a/node_modules/@sigstore/sign/dist/external/error.js +++ b/node_modules/@sigstore/sign/dist/external/error.js @@ -2,20 +2,37 @@ Object.defineProperty(exports, "__esModule", { value: true }); exports.checkStatus = exports.HTTPError = void 0; class HTTPError extends Error { - constructor(response) { - super(`HTTP Error: ${response.status} ${response.statusText}`); - this.response = response; - this.statusCode = response.status; - this.location = response.headers?.get('Location') || undefined; + constructor({ status, message, location, }) { + super(`(${status}) ${message}`); + this.statusCode = status; + this.location = location; } } exports.HTTPError = HTTPError; -const checkStatus = (response) => { +const checkStatus = async (response) => { if (response.ok) { return response; } else { - throw new HTTPError(response); + let message = response.statusText; + const location = response.headers?.get('Location') || undefined; + const contentType = response.headers?.get('Content-Type'); + // If response type is JSON, try to parse the body for a message + if (contentType?.includes('application/json')) { + try { + await response.json().then((body) => { + message = body.message; + }); + } + catch (e) { + // ignore + } + } + throw new HTTPError({ + status: response.status, + message: message, + location: location, + }); } }; exports.checkStatus = checkStatus; diff --git a/node_modules/@sigstore/sign/dist/external/fulcio.js b/node_modules/@sigstore/sign/dist/external/fulcio.js index b27637c2dc570..f00b62e147cd7 100644 --- a/node_modules/@sigstore/sign/dist/external/fulcio.js +++ b/node_modules/@sigstore/sign/dist/external/fulcio.js @@ -43,7 +43,7 @@ class Fulcio { method: 'POST', body: JSON.stringify(request), }); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); const data = await response.json(); return data; } diff --git a/node_modules/@sigstore/sign/dist/external/rekor.js b/node_modules/@sigstore/sign/dist/external/rekor.js index 9b4e66b656251..6f6cb96cc9c5c 100644 --- a/node_modules/@sigstore/sign/dist/external/rekor.js +++ b/node_modules/@sigstore/sign/dist/external/rekor.js @@ -49,7 +49,7 @@ class Rekor { headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(propsedEntry), }); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); const data = await response.json(); return entryFromResponse(data); } @@ -61,7 +61,7 @@ class Rekor { async getEntry(uuid) { const url = `${this.baseUrl}/api/v1/log/entries/${uuid}`; const response = await this.fetch(url); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); const data = await response.json(); return entryFromResponse(data); } @@ -77,7 +77,7 @@ class Rekor { body: JSON.stringify(opts), headers: { 'Content-Type': 'application/json' }, }); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); const data = await response.json(); return data; } @@ -93,7 +93,7 @@ class Rekor { body: JSON.stringify(opts), headers: { 'Content-Type': 'application/json' }, }); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); const rawData = await response.json(); const data = rawData.map((d) => entryFromResponse(d)); return data; diff --git a/node_modules/@sigstore/sign/dist/external/tsa.js b/node_modules/@sigstore/sign/dist/external/tsa.js index 5277d7d3f9707..252c14f2d32d8 100644 --- a/node_modules/@sigstore/sign/dist/external/tsa.js +++ b/node_modules/@sigstore/sign/dist/external/tsa.js @@ -40,7 +40,7 @@ class TimestampAuthority { method: 'POST', body: JSON.stringify(request), }); - (0, error_1.checkStatus)(response); + await (0, error_1.checkStatus)(response); return response.buffer(); } } diff --git a/node_modules/@sigstore/sign/dist/index.js b/node_modules/@sigstore/sign/dist/index.js index f6d97c673ec62..383b76083361b 100644 --- a/node_modules/@sigstore/sign/dist/index.js +++ b/node_modules/@sigstore/sign/dist/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.TSAWitness = exports.RekorWitness = exports.FulcioSigner = exports.CIContextProvider = exports.InternalError = exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0; +exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = exports.CIContextProvider = exports.InternalError = exports.MessageSignatureBundleBuilder = exports.DSSEBundleBuilder = void 0; var bundler_1 = require("./bundler"); Object.defineProperty(exports, "DSSEBundleBuilder", { enumerable: true, get: function () { return bundler_1.DSSEBundleBuilder; } }); Object.defineProperty(exports, "MessageSignatureBundleBuilder", { enumerable: true, get: function () { return bundler_1.MessageSignatureBundleBuilder; } }); @@ -9,7 +9,9 @@ Object.defineProperty(exports, "InternalError", { enumerable: true, get: functio var identity_1 = require("./identity"); Object.defineProperty(exports, "CIContextProvider", { enumerable: true, get: function () { return identity_1.CIContextProvider; } }); var signer_1 = require("./signer"); +Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return signer_1.DEFAULT_FULCIO_URL; } }); Object.defineProperty(exports, "FulcioSigner", { enumerable: true, get: function () { return signer_1.FulcioSigner; } }); var witness_1 = require("./witness"); +Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return witness_1.DEFAULT_REKOR_URL; } }); Object.defineProperty(exports, "RekorWitness", { enumerable: true, get: function () { return witness_1.RekorWitness; } }); Object.defineProperty(exports, "TSAWitness", { enumerable: true, get: function () { return witness_1.TSAWitness; } }); diff --git a/node_modules/@sigstore/sign/dist/signer/fulcio/ca.js b/node_modules/@sigstore/sign/dist/signer/fulcio/ca.js index 9c0af0e914493..81b421eabadb2 100644 --- a/node_modules/@sigstore/sign/dist/signer/fulcio/ca.js +++ b/node_modules/@sigstore/sign/dist/signer/fulcio/ca.js @@ -39,11 +39,7 @@ class CAClient { return cert.chain.certificates; } catch (err) { - throw new error_1.InternalError({ - code: 'CA_CREATE_SIGNING_CERTIFICATE_ERROR', - message: 'error creating signing certificate', - cause: err, - }); + (0, error_1.internalError)(err, 'CA_CREATE_SIGNING_CERTIFICATE_ERROR', 'error creating signing certificate'); } } } diff --git a/node_modules/@sigstore/sign/dist/signer/fulcio/index.js b/node_modules/@sigstore/sign/dist/signer/fulcio/index.js index b2eff7e1b981f..89a432548d2b4 100644 --- a/node_modules/@sigstore/sign/dist/signer/fulcio/index.js +++ b/node_modules/@sigstore/sign/dist/signer/fulcio/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.FulcioSigner = void 0; +exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = void 0; /* Copyright 2023 The Sigstore Authors. @@ -20,13 +20,17 @@ const error_1 = require("../../error"); const util_1 = require("../../util"); const ca_1 = require("./ca"); const ephemeral_1 = require("./ephemeral"); +exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; // Signer implementation which can be used to decorate another signer // with a Fulcio-issued signing certificate for the signer's public key. // Must be instantiated with an identity provider which can provide a JWT // which represents the identity to be bound to the signing certificate. class FulcioSigner { constructor(options) { - this.ca = new ca_1.CAClient(options); + this.ca = new ca_1.CAClient({ + ...options, + fulcioBaseURL: options.fulcioBaseURL || /* istanbul ignore next */ exports.DEFAULT_FULCIO_URL, + }); this.identityProvider = options.identityProvider; this.keyHolder = options.keyHolder || new ephemeral_1.EphemeralSigner(); } @@ -34,7 +38,17 @@ class FulcioSigner { // Retrieve identity token from the supplied identity provider const identityToken = await this.getIdentityToken(); // Extract challenge claim from OIDC token - const subject = util_1.oidc.extractJWTSubject(identityToken); + let subject; + try { + subject = util_1.oidc.extractJWTSubject(identityToken); + } + catch (err) { + throw new error_1.InternalError({ + code: 'IDENTITY_TOKEN_PARSE_ERROR', + message: `invalid identity token: ${identityToken}`, + cause: err, + }); + } // Construct challenge value by signing the subject claim const challenge = await this.keyHolder.sign(Buffer.from(subject)); if (challenge.key.$case !== 'publicKey') { diff --git a/node_modules/@sigstore/sign/dist/signer/index.js b/node_modules/@sigstore/sign/dist/signer/index.js index 4f64adf41ed8d..06ec9dbe72fe1 100644 --- a/node_modules/@sigstore/sign/dist/signer/index.js +++ b/node_modules/@sigstore/sign/dist/signer/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.FulcioSigner = void 0; +exports.FulcioSigner = exports.DEFAULT_FULCIO_URL = void 0; /* Copyright 2023 The Sigstore Authors. @@ -17,4 +17,5 @@ See the License for the specific language governing permissions and limitations under the License. */ var fulcio_1 = require("./fulcio"); +Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return fulcio_1.DEFAULT_FULCIO_URL; } }); Object.defineProperty(exports, "FulcioSigner", { enumerable: true, get: function () { return fulcio_1.FulcioSigner; } }); diff --git a/node_modules/@sigstore/sign/dist/witness/index.js b/node_modules/@sigstore/sign/dist/witness/index.js index 7218ea41bce6d..e200d0638350b 100644 --- a/node_modules/@sigstore/sign/dist/witness/index.js +++ b/node_modules/@sigstore/sign/dist/witness/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.TSAWitness = exports.RekorWitness = void 0; +exports.TSAWitness = exports.RekorWitness = exports.DEFAULT_REKOR_URL = void 0; /* Copyright 2023 The Sigstore Authors. @@ -17,6 +17,7 @@ See the License for the specific language governing permissions and limitations under the License. */ var tlog_1 = require("./tlog"); +Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return tlog_1.DEFAULT_REKOR_URL; } }); Object.defineProperty(exports, "RekorWitness", { enumerable: true, get: function () { return tlog_1.RekorWitness; } }); var tsa_1 = require("./tsa"); Object.defineProperty(exports, "TSAWitness", { enumerable: true, get: function () { return tsa_1.TSAWitness; } }); diff --git a/node_modules/@sigstore/sign/dist/witness/tlog/client.js b/node_modules/@sigstore/sign/dist/witness/tlog/client.js index 3c1b5212e4265..22c895f2ca7ed 100644 --- a/node_modules/@sigstore/sign/dist/witness/tlog/client.js +++ b/node_modules/@sigstore/sign/dist/witness/tlog/client.js @@ -43,19 +43,11 @@ class TLogClient { entry = await this.rekor.getEntry(uuid); } catch (err) { - throw new error_1.InternalError({ - code: 'TLOG_FETCH_ENTRY_ERROR', - message: 'error fetching tlog entry', - cause: err, - }); + (0, error_1.internalError)(err, 'TLOG_FETCH_ENTRY_ERROR', 'error fetching tlog entry'); } } else { - throw new error_1.InternalError({ - code: 'TLOG_CREATE_ENTRY_ERROR', - message: 'error creating tlog entry', - cause: err, - }); + (0, error_1.internalError)(err, 'TLOG_CREATE_ENTRY_ERROR', 'error creating tlog entry'); } } return entry; diff --git a/node_modules/@sigstore/sign/dist/witness/tlog/index.js b/node_modules/@sigstore/sign/dist/witness/tlog/index.js index 7d5487c2cb3c6..1f098df85390c 100644 --- a/node_modules/@sigstore/sign/dist/witness/tlog/index.js +++ b/node_modules/@sigstore/sign/dist/witness/tlog/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.RekorWitness = void 0; +exports.RekorWitness = exports.DEFAULT_REKOR_URL = void 0; /* Copyright 2023 The Sigstore Authors. @@ -19,9 +19,13 @@ limitations under the License. const util_1 = require("../../util"); const client_1 = require("./client"); const entry_1 = require("./entry"); +exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev'; class RekorWitness { constructor(options) { - this.tlog = new client_1.TLogClient(options); + this.tlog = new client_1.TLogClient({ + ...options, + rekorBaseURL: options.rekorBaseURL || /* istanbul ignore next */ exports.DEFAULT_REKOR_URL, + }); } async testify(content, publicKey) { const proposedEntry = (0, entry_1.toProposedEntry)(content, publicKey); diff --git a/node_modules/@sigstore/sign/dist/witness/tsa/client.js b/node_modules/@sigstore/sign/dist/witness/tsa/client.js index d2a7610401c4e..a334deb00b775 100644 --- a/node_modules/@sigstore/sign/dist/witness/tsa/client.js +++ b/node_modules/@sigstore/sign/dist/witness/tsa/client.js @@ -36,11 +36,7 @@ class TSAClient { return await this.tsa.createTimestamp(request); } catch (err) { - throw new error_1.InternalError({ - code: 'TSA_CREATE_TIMESTAMP_ERROR', - message: 'error creating timestamp', - cause: err, - }); + (0, error_1.internalError)(err, 'TSA_CREATE_TIMESTAMP_ERROR', 'error creating timestamp'); } } } diff --git a/node_modules/@sigstore/sign/package.json b/node_modules/@sigstore/sign/package.json index 732c94f9fcd49..cd8dc14412e4d 100644 --- a/node_modules/@sigstore/sign/package.json +++ b/node_modules/@sigstore/sign/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/sign", - "version": "2.0.0", + "version": "2.1.0", "description": "Sigstore signing library", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -27,12 +27,12 @@ }, "devDependencies": { "@sigstore/jest": "^0.0.0", - "@sigstore/mock": "^0.3.0", + "@sigstore/mock": "^0.4.0", "@sigstore/rekor-types": "^2.0.0", "@types/make-fetch-happen": "^10.0.0" }, "dependencies": { - "@sigstore/bundle": "^2.0.0", + "@sigstore/bundle": "^2.1.0", "@sigstore/protobuf-specs": "^0.2.1", "make-fetch-happen": "^13.0.0" }, diff --git a/node_modules/sigstore/dist/config.js b/node_modules/sigstore/dist/config.js index 65b20fbaa9829..43c236f0eebd0 100644 --- a/node_modules/sigstore/dist/config.js +++ b/node_modules/sigstore/dist/config.js @@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.artifactVerificationOptions = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0; +exports.artifactVerificationOptions = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = void 0; /* Copyright 2023 The Sigstore Authors. @@ -41,8 +41,6 @@ limitations under the License. */ const sign_1 = require("@sigstore/sign"); const sigstore = __importStar(require("./types/sigstore")); -exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev'; -exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev'; exports.DEFAULT_RETRY = { retries: 2 }; exports.DEFAULT_TIMEOUT = 5000; function createBundleBuilder(bundleType, options) { @@ -61,7 +59,7 @@ exports.createBundleBuilder = createBundleBuilder; // Instantiate the FulcioSigner based on the supplied options. function initSigner(options) { return new sign_1.FulcioSigner({ - fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL, + fulcioBaseURL: options.fulcioURL, identityProvider: options.identityProvider || initIdentityProvider(options), retry: options.retry ?? exports.DEFAULT_RETRY, timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, @@ -84,7 +82,7 @@ function initWitnesses(options) { const witnesses = []; if (isRekorEnabled(options)) { witnesses.push(new sign_1.RekorWitness({ - rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL, + rekorBaseURL: options.rekorURL, fetchOnConflict: false, retry: options.retry ?? exports.DEFAULT_RETRY, timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, diff --git a/node_modules/sigstore/dist/index.js b/node_modules/sigstore/dist/index.js index d281e5b8d2ab7..341c1fa504d1e 100644 --- a/node_modules/sigstore/dist/index.js +++ b/node_modules/sigstore/dist/index.js @@ -1,6 +1,6 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); -exports.verify = exports.sign = exports.createVerifier = exports.attest = exports.VerificationError = exports.PolicyError = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.TUFError = exports.InternalError = exports.ValidationError = void 0; +exports.verify = exports.sign = exports.createVerifier = exports.attest = exports.VerificationError = exports.PolicyError = exports.TUFError = exports.InternalError = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.ValidationError = void 0; /* Copyright 2022 The Sigstore Authors. @@ -19,12 +19,11 @@ limitations under the License. var bundle_1 = require("@sigstore/bundle"); Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_1.ValidationError; } }); var sign_1 = require("@sigstore/sign"); +Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return sign_1.DEFAULT_FULCIO_URL; } }); +Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return sign_1.DEFAULT_REKOR_URL; } }); Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return sign_1.InternalError; } }); var tuf_1 = require("@sigstore/tuf"); Object.defineProperty(exports, "TUFError", { enumerable: true, get: function () { return tuf_1.TUFError; } }); -var config_1 = require("./config"); -Object.defineProperty(exports, "DEFAULT_FULCIO_URL", { enumerable: true, get: function () { return config_1.DEFAULT_FULCIO_URL; } }); -Object.defineProperty(exports, "DEFAULT_REKOR_URL", { enumerable: true, get: function () { return config_1.DEFAULT_REKOR_URL; } }); var error_1 = require("./error"); Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } }); Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } }); diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index 26e58edd47af3..daf50ba601884 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,6 +1,6 @@ { "name": "sigstore", - "version": "2.0.0", + "version": "2.1.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -29,15 +29,15 @@ "devDependencies": { "@sigstore/rekor-types": "^2.0.0", "@sigstore/jest": "^0.0.0", - "@sigstore/mock": "^0.3.0", + "@sigstore/mock": "^0.4.0", "@tufjs/repo-mock": "^2.0.0", "@types/make-fetch-happen": "^10.0.0" }, "dependencies": { - "@sigstore/bundle": "^2.0.0", + "@sigstore/bundle": "^2.1.0", "@sigstore/protobuf-specs": "^0.2.1", - "@sigstore/sign": "^2.0.0", - "@sigstore/tuf": "^2.0.0" + "@sigstore/sign": "^2.1.0", + "@sigstore/tuf": "^2.1.0" }, "engines": { "node": "^16.14.0 || >=18.0.0" diff --git a/package-lock.json b/package-lock.json index cc58e15126f0f..26628070149f4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2923,9 +2923,9 @@ } }, "node_modules/@sigstore/bundle": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.0.0.tgz", - "integrity": "sha512-EO7D7/kMtUsYn596WP+b5N/txWTgOt7N8vsZ2gyneMsxfrPW4FJHRZtMlZeGKCgBNCcjZhZ8ItyawkZqJC8XiA==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.1.0.tgz", + "integrity": "sha512-89uOo6yh/oxaU8AeOUnVrTdVMcGk9Q1hJa7Hkvalc6G3Z3CupWk4Xe9djSgJm9fMkH69s0P0cVHUoKSOemLdng==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.2.1" @@ -2944,12 +2944,12 @@ } }, "node_modules/@sigstore/sign": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.0.0.tgz", - "integrity": "sha512-f+r1jEDwM5969DTORRln9sDmWjTy1cOQzhU/iisGNzFdbF2TglmwNScbH6aiQ6QH4lc3jOXNMgKP6sec1kSVKA==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.1.0.tgz", + "integrity": "sha512-4VRpfJxs+8eLqzLVrZngVNExVA/zAhVbi4UT4zmtLi4xRd7vz5qie834OgkrGsLlLB1B2nz/3wUxT1XAUBe8gw==", "inBundle": true, "dependencies": { - "@sigstore/bundle": "^2.0.0", + "@sigstore/bundle": "^2.1.0", "@sigstore/protobuf-specs": "^0.2.1", "make-fetch-happen": "^13.0.0" }, @@ -11808,15 +11808,15 @@ } }, "node_modules/sigstore": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-2.0.0.tgz", - "integrity": "sha512-RtTi90xIdzFmQAAKb9+Ki1nx4IR2Z5c+mFn3dN0xuPHgk3gTt3f7ZqKsZ9UFQP40ZAlm7un8LMyjhwgrTIXNPA==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-2.1.0.tgz", + "integrity": "sha512-kPIj+ZLkyI3QaM0qX8V/nSsweYND3W448pwkDgS6CQ74MfhEkIR8ToK5Iyx46KJYRjseVcD3Rp9zAmUAj6ZjPw==", "inBundle": true, "dependencies": { - "@sigstore/bundle": "^2.0.0", + "@sigstore/bundle": "^2.1.0", "@sigstore/protobuf-specs": "^0.2.1", - "@sigstore/sign": "^2.0.0", - "@sigstore/tuf": "^2.0.0" + "@sigstore/sign": "^2.1.0", + "@sigstore/tuf": "^2.1.0" }, "engines": { "node": "^16.14.0 || >=18.0.0" @@ -16139,7 +16139,7 @@ "npm-registry-fetch": "^16.0.0", "proc-log": "^3.0.0", "semver": "^7.3.7", - "sigstore": "^2.0.0", + "sigstore": "^2.1.0", "ssri": "^10.0.5" }, "devDependencies": { diff --git a/workspaces/libnpmpublish/package.json b/workspaces/libnpmpublish/package.json index 094414e716102..87a878173fdbe 100644 --- a/workspaces/libnpmpublish/package.json +++ b/workspaces/libnpmpublish/package.json @@ -44,7 +44,7 @@ "npm-registry-fetch": "^16.0.0", "proc-log": "^3.0.0", "semver": "^7.3.7", - "sigstore": "^2.0.0", + "sigstore": "^2.1.0", "ssri": "^10.0.5" }, "engines": {