From c9236b79b6be5dfccfdad6ed8f0903051608a58e Mon Sep 17 00:00:00 2001 From: Yashvanth B L Date: Thu, 2 Jul 2026 18:29:22 +0530 Subject: [PATCH] fix(root): bump sigstore to 4.1.1 to fix GHSA-52v5-jr5w-gjxr Ticket: CGD-2015 --- .iyarc | 16 --- package.json | 3 +- yarn.lock | 290 ++++++++++++++++++--------------------------------- 3 files changed, 106 insertions(+), 203 deletions(-) diff --git a/.iyarc b/.iyarc index 0f9d12217f..7a5fd13b41 100644 --- a/.iyarc +++ b/.iyarc @@ -67,22 +67,6 @@ GHSA-9ppj-qmqm-q256 # - No patched version of sjcl exists upstream (first_patched_version: null) GHSA-2w8x-224x-785m -# Excluded because: -# - XSS via xmp raw-text passthrough in sanitize-html (severity: critical, CVE-2026-44990) -# - patched_versions: "<0.0.0" — no upstream fix exists yet -# - Used in @bitgo/sdk-api to strip all HTML from API error response text (allowedTags: []) -# - Output is appended to a JavaScript error string server-side, never rendered as HTML in a browser -# - The xmp bypass produces live HTML markup in output, but since we discard all tags and use -# the result as plain text in Error messages, there is no DOM rendering path and no XSS risk -GHSA-rpr9-rxv7-x643 - -# Excluded because: -# - CVE affects esbuild's Deno distribution only: binary downloads without SHA-256 integrity verification -# - BitGoJS is a Node.js project; the Node.js esbuild distribution already includes binaryIntegrityCheck() -# - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code -# - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment -GHSA-gv7w-rqvm-qjhr - # Excluded because: # - ws: Memory exhaustion DoS by sending many tiny fragments/data chunks to exhaust server memory # - Transitive dependency via @cosmjs/socket, @ethersproject/providers, @polkadot/rpc-provider, diff --git a/package.json b/package.json index bb5467567a..b5aeb7ca50 100644 --- a/package.json +++ b/package.json @@ -133,7 +133,8 @@ "@babel/plugin-transform-modules-systemjs": "7.29.4", "protobufjs": "7.5.8", "@protobufjs/fetch": "1.1.0", - "@protobufjs/inquire": "1.1.0" + "@protobufjs/inquire": "1.1.0", + "sigstore": "4.1.1" }, "workspaces": [ "modules/*" diff --git a/yarn.lock b/yarn.lock index 4c021ec4d1..349e0fe1f7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2789,7 +2789,7 @@ "@scure/base" "1.1.5" micro-eth-signer "0.7.2" -"@gar/promise-retry@^1.0.0": +"@gar/promise-retry@^1.0.0", "@gar/promise-retry@^1.0.2": version "1.0.3" resolved "https://registry.npmjs.org/@gar/promise-retry/-/promise-retry-1.0.3.tgz#65e726428e794bc4453948e0a41e6de4215ce8b0" integrity sha512-GmzA9ckNokPypTg10pgpeHNQe7ph+iIKKmhKu3Ob9ANkswreCx7R3cKmY781K8QK3AqVL3xVh9A42JvIAbkkSA== @@ -4047,6 +4047,11 @@ resolved "https://registry.npmjs.org/@npmcli/redact/-/redact-3.2.2.tgz" integrity sha512-7VmYAmk4csGv08QzrDKScdzn11jHPFGyqJW39FyPgPuAp3zIaUmuCo1yxw9aGs+NEJuTGQ9Gwqpt93vtJubucg== +"@npmcli/redact@^4.0.0": + version "4.0.0" + resolved "https://registry.npmjs.org/@npmcli/redact/-/redact-4.0.0.tgz#c91121e02b7559a997614a2c1057cd7fc67608c4" + integrity sha512-gOBg5YHMfZy+TfHArfVogwgfBeQnKbbGo3pSUyK/gSI0AVu+pEiDVcKlQb0D8Mg1LNRZILZ6XG8I5dJ4KuAd9Q== + "@npmcli/run-script@10.0.0", "@npmcli/run-script@^10.0.0": version "10.0.0" resolved "https://registry.npmjs.org/@npmcli/run-script/-/run-script-10.0.0.tgz" @@ -5037,20 +5042,6 @@ resolved "https://registry.npmjs.org/@sideway/pinpoint/-/pinpoint-2.0.0.tgz" integrity sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ== -"@sigstore/bundle@^1.1.0": - version "1.1.0" - resolved "https://registry.npmjs.org/@sigstore/bundle/-/bundle-1.1.0.tgz" - integrity sha512-PFutXEy0SmQxYI4texPw3dd2KewuNqv7OuK1ZFtY2fM754yhvG2KdgwIhRnoEE2uHdtdGNQ8s0lb94dW9sELog== - dependencies: - "@sigstore/protobuf-specs" "^0.2.0" - -"@sigstore/bundle@^3.1.0": - version "3.1.0" - resolved "https://registry.npmjs.org/@sigstore/bundle/-/bundle-3.1.0.tgz" - integrity sha512-Mm1E3/CmDDCz3nDhFKTuYdB47EdRFRQMOE/EAbiG1MJW77/w1b3P7Qx7JSrVJs8PfwOLOVcKQCHErIwCTyPbag== - dependencies: - "@sigstore/protobuf-specs" "^0.4.0" - "@sigstore/bundle@^4.0.0": version "4.0.0" resolved "https://registry.npmjs.org/@sigstore/bundle/-/bundle-4.0.0.tgz" @@ -5058,104 +5049,43 @@ dependencies: "@sigstore/protobuf-specs" "^0.5.0" -"@sigstore/core@^2.0.0": - version "2.0.0" - resolved "https://registry.npmjs.org/@sigstore/core/-/core-2.0.0.tgz" - integrity sha512-nYxaSb/MtlSI+JWcwTHQxyNmWeWrUXJJ/G4liLrGG7+tS4vAz6LF3xRXqLH6wPIVUoZQel2Fs4ddLx4NCpiIYg== - -"@sigstore/core@^3.0.0": - version "3.0.0" - resolved "https://registry.npmjs.org/@sigstore/core/-/core-3.0.0.tgz" - integrity sha512-NgbJ+aW9gQl/25+GIEGYcCyi8M+ng2/5X04BMuIgoDfgvp18vDcoNHOQjQsG9418HGNYRxG3vfEXaR1ayD37gg== - -"@sigstore/protobuf-specs@^0.2.0": - version "0.2.1" - resolved "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.2.1.tgz" - integrity sha512-XTWVxnWJu+c1oCshMLwnKvz8ZQJJDVOlciMfgpJBQbThVjKTCG8dwyhgLngBD2KN0ap9F/gOV8rFDEx8uh7R2A== - -"@sigstore/protobuf-specs@^0.4.0", "@sigstore/protobuf-specs@^0.4.1": - version "0.4.3" - resolved "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.4.3.tgz" - integrity sha512-fk2zjD9117RL9BjqEwF7fwv7Q/P9yGsMV4MUJZ/DocaQJ6+3pKr+syBq1owU5Q5qGw5CUbXzm+4yJ2JVRDQeSA== +"@sigstore/core@^3.2.0", "@sigstore/core@^3.2.1": + version "3.2.1" + resolved "https://registry.npmjs.org/@sigstore/core/-/core-3.2.1.tgz#4efd4ab0f59e768b6daf65612024ba925787de72" + integrity sha512-qRsxPnCrbC/puegGxKuynfnxgLiHqWStrSjxkoB4YKqq3Z3s4cyZyj42ZdWFAEblNP65C+rBH8EuREHIXoi83g== "@sigstore/protobuf-specs@^0.5.0": version "0.5.0" resolved "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.5.0.tgz" integrity sha512-MM8XIwUjN2bwvCg1QvrMtbBmpcSHrkhFSCu1D11NyPvDQ25HEc4oG5/OcQfd/Tlf/OxmKWERDj0zGE23jQaMwA== -"@sigstore/sign@^1.0.0": - version "1.0.0" - resolved "https://registry.npmjs.org/@sigstore/sign/-/sign-1.0.0.tgz" - integrity sha512-INxFVNQteLtcfGmcoldzV6Je0sbbfh9I16DM4yJPw3j5+TFP8X6uIiA18mvpEa9yyeycAKgPmOA3X9hVdVTPUA== - dependencies: - "@sigstore/bundle" "^1.1.0" - "@sigstore/protobuf-specs" "^0.2.0" - make-fetch-happen "^11.0.1" - -"@sigstore/sign@^3.1.0": - version "3.1.0" - resolved "https://registry.npmjs.org/@sigstore/sign/-/sign-3.1.0.tgz" - integrity sha512-knzjmaOHOov1Ur7N/z4B1oPqZ0QX5geUfhrVaqVlu+hl0EAoL4o+l0MSULINcD5GCWe3Z0+YJO8ues6vFlW0Yw== - dependencies: - "@sigstore/bundle" "^3.1.0" - "@sigstore/core" "^2.0.0" - "@sigstore/protobuf-specs" "^0.4.0" - make-fetch-happen "^14.0.2" - proc-log "^5.0.0" - promise-retry "^2.0.1" - -"@sigstore/sign@^4.0.0": - version "4.0.1" - resolved "https://registry.npmjs.org/@sigstore/sign/-/sign-4.0.1.tgz" - integrity sha512-KFNGy01gx9Y3IBPG/CergxR9RZpN43N+lt3EozEfeoyqm8vEiLxwRl3ZO5sPx3Obv1ix/p7FWOlPc2Jgwfp9PA== +"@sigstore/sign@^4.1.1": + version "4.1.1" + resolved "https://registry.npmjs.org/@sigstore/sign/-/sign-4.1.1.tgz#34765fe4a190d693340c0771a3d150a397bcfc55" + integrity sha512-Hf4xglukg0XXQ2RiD5vSoLjdPe8OBUPA8XeVjUObheuDcWdYWrnH/BNmxZCzkAy68MzmNCxXLeurJvs6hcP2OQ== dependencies: + "@gar/promise-retry" "^1.0.2" "@sigstore/bundle" "^4.0.0" - "@sigstore/core" "^3.0.0" + "@sigstore/core" "^3.2.0" "@sigstore/protobuf-specs" "^0.5.0" - make-fetch-happen "^15.0.2" - proc-log "^5.0.0" - promise-retry "^2.0.1" + make-fetch-happen "^15.0.4" + proc-log "^6.1.0" -"@sigstore/tuf@^1.0.3": - version "1.0.3" - resolved "https://registry.npmjs.org/@sigstore/tuf/-/tuf-1.0.3.tgz" - integrity sha512-2bRovzs0nJZFlCN3rXirE4gwxCn97JNjMmwpecqlbgV9WcxX7WRuIrgzx/X7Ib7MYRbyUTpBYE0s2x6AmZXnlg== - dependencies: - "@sigstore/protobuf-specs" "^0.2.0" - tuf-js "^1.1.7" - -"@sigstore/tuf@^3.1.0": - version "3.1.1" - resolved "https://registry.npmjs.org/@sigstore/tuf/-/tuf-3.1.1.tgz" - integrity sha512-eFFvlcBIoGwVkkwmTi/vEQFSva3xs5Ot3WmBcjgjVdiaoelBLQaQ/ZBfhlG0MnG0cmTYScPpk7eDdGDWUcFUmg== - dependencies: - "@sigstore/protobuf-specs" "^0.4.1" - tuf-js "^3.0.1" - -"@sigstore/tuf@^4.0.0": - version "4.0.0" - resolved "https://registry.npmjs.org/@sigstore/tuf/-/tuf-4.0.0.tgz" - integrity sha512-0QFuWDHOQmz7t66gfpfNO6aEjoFrdhkJaej/AOqb4kqWZVbPWFZifXZzkxyQBB1OwTbkhdT3LNpMFxwkTvf+2w== +"@sigstore/tuf@^4.0.2": + version "4.0.2" + resolved "https://registry.npmjs.org/@sigstore/tuf/-/tuf-4.0.2.tgz#7d2fa2abcd5afa5baf752671d14a1c6ed0ed3196" + integrity sha512-TCAzTy0xzdP79EnxSjq9KQ3eaR7+FmudLC6eRKknVKZbV7ZNlGLClAAQb/HMNJ5n2OBNk2GT1tEmU0xuPr+SLQ== dependencies: "@sigstore/protobuf-specs" "^0.5.0" - tuf-js "^4.0.0" - -"@sigstore/verify@^2.1.0": - version "2.1.1" - resolved "https://registry.npmjs.org/@sigstore/verify/-/verify-2.1.1.tgz" - integrity sha512-hVJD77oT67aowHxwT4+M6PGOp+E2LtLdTK3+FC0lBO9T7sYwItDMXZ7Z07IDCvR1M717a4axbIWckrW67KMP/w== - dependencies: - "@sigstore/bundle" "^3.1.0" - "@sigstore/core" "^2.0.0" - "@sigstore/protobuf-specs" "^0.4.1" + tuf-js "^4.1.0" -"@sigstore/verify@^3.0.0": - version "3.0.0" - resolved "https://registry.npmjs.org/@sigstore/verify/-/verify-3.0.0.tgz" - integrity sha512-moXtHH33AobOhTZF8xcX1MpOFqdvfCk7v6+teJL8zymBiDXwEsQH6XG9HGx2VIxnJZNm4cNSzflTLDnQLmIdmw== +"@sigstore/verify@^3.1.1": + version "3.1.1" + resolved "https://registry.npmjs.org/@sigstore/verify/-/verify-3.1.1.tgz#13c1c1cff28fe81f662de29d85ba5ae048fcbd8d" + integrity sha512-qv7+G3J2cc6wwFj3yKvXOamzqhMwSk1ogPGmhpS8iXllcPrJaIIBA+4HbttlHVu1pqWTdmaCH/WE7UOC51kdoA== dependencies: "@sigstore/bundle" "^4.0.0" - "@sigstore/core" "^3.0.0" + "@sigstore/core" "^3.2.1" "@sigstore/protobuf-specs" "^0.5.0" "@silencelaboratories/dkls-wasm-ll-bundler@1.2.0-pre.4": @@ -5928,39 +5858,18 @@ resolved "https://registry.npmjs.org/@tronweb3/google-protobuf/-/google-protobuf-3.21.4.tgz" integrity sha512-joxgV4esCdyZ921AprMIG1T7HjkypquhbJ5qJti/priCBJhRE1z9GOxIEMvayxSVSRbMGIoJNE0Knrg3vpwM1w== -"@tufjs/canonical-json@1.0.0": - version "1.0.0" - resolved "https://registry.npmjs.org/@tufjs/canonical-json/-/canonical-json-1.0.0.tgz" - integrity sha512-QTnf++uxunWvG2z3UFNzAoQPHxnSXOwtaI3iJ+AohhV+5vONuArPjJE7aPXPVXfXJsqrVbZBu9b81AJoSd09IQ== - "@tufjs/canonical-json@2.0.0": version "2.0.0" resolved "https://registry.npmjs.org/@tufjs/canonical-json/-/canonical-json-2.0.0.tgz" integrity sha512-yVtV8zsdo8qFHe+/3kw81dSLyF7D576A5cCFCi4X7B39tWT7SekaEFUnvnWJHz+9qO7qJTah1JbrDjWKqFtdWA== -"@tufjs/models@1.0.4": - version "1.0.4" - resolved "https://registry.npmjs.org/@tufjs/models/-/models-1.0.4.tgz" - integrity sha512-qaGV9ltJP0EO25YfFUPhxRVK0evXFIAGicsVXuRim4Ed9cjPxYhNnNJ49SFmbeLgtxpslIkX317IgpfcHPVj/A== - dependencies: - "@tufjs/canonical-json" "1.0.0" - minimatch "^9.0.0" - -"@tufjs/models@3.0.1": - version "3.0.1" - resolved "https://registry.npmjs.org/@tufjs/models/-/models-3.0.1.tgz" - integrity sha512-UUYHISyhCU3ZgN8yaear3cGATHb3SMuKHsQ/nVbHXcmnBf+LzQ/cQfhNG+rfaSHgqGKNEm2cOCLVLELStUQ1JA== - dependencies: - "@tufjs/canonical-json" "2.0.0" - minimatch "^9.0.5" - -"@tufjs/models@4.0.0": - version "4.0.0" - resolved "https://registry.npmjs.org/@tufjs/models/-/models-4.0.0.tgz" - integrity sha512-h5x5ga/hh82COe+GoD4+gKUeV4T3iaYOxqLt41GRKApinPI7DMidhCmNVTjKfhCWFJIGXaFJee07XczdT4jdZQ== +"@tufjs/models@4.1.0": + version "4.1.0" + resolved "https://registry.npmjs.org/@tufjs/models/-/models-4.1.0.tgz#494b39cf5e2f6855d80031246dd236d8086069b3" + integrity sha512-Y8cK9aggNRsqJVaKUlEYs4s7CvQ1b1ta2DVPyAimb0I2qhzjNk+A+mxvll/klL0RlfuIUei8BF7YWiua4kQqww== dependencies: "@tufjs/canonical-json" "2.0.0" - minimatch "^9.0.5" + minimatch "^10.1.1" "@tybys/wasm-util@^0.9.0": version "0.9.0" @@ -9889,7 +9798,7 @@ debug@3.1.0: dependencies: ms "2.0.0" -debug@4, debug@^4.0.1, debug@^4.1.0, debug@^4.1.1, debug@^4.3.1, debug@^4.3.3, debug@^4.3.4, debug@^4.3.5, debug@^4.3.7, debug@^4.4.0, debug@^4.4.1, debug@~4.4.1: +debug@4, debug@^4.0.1, debug@^4.1.0, debug@^4.1.1, debug@^4.3.1, debug@^4.3.3, debug@^4.3.4, debug@^4.3.5, debug@^4.3.7, debug@^4.4.0, debug@^4.4.1, debug@^4.4.3, debug@~4.4.1: version "4.4.3" resolved "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz" integrity sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA== @@ -13001,6 +12910,13 @@ iconv-lite@^0.7.0: dependencies: safer-buffer ">= 2.1.2 < 3.0.0" +iconv-lite@^0.7.2: + version "0.7.2" + resolved "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz#d0bdeac3f12b4835b7359c2ad89c422a4d1cc72e" + integrity sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw== + dependencies: + safer-buffer ">= 2.1.2 < 3.0.0" + icss-utils@^5.0.0, icss-utils@^5.1.0: version "5.1.0" resolved "https://registry.npmjs.org/icss-utils/-/icss-utils-5.1.0.tgz" @@ -14895,7 +14811,7 @@ make-dir@^3.0.0, make-dir@^3.0.2, make-dir@^3.1.0: dependencies: semver "^6.0.0" -make-fetch-happen@15.0.2, make-fetch-happen@^15.0.0, make-fetch-happen@^15.0.2: +make-fetch-happen@15.0.2, make-fetch-happen@^15.0.0: version "15.0.2" resolved "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-15.0.2.tgz" integrity sha512-sI1NY4lWlXBAfjmCtVWIIpBypbBdhHtcjnwnv+gtCnsaOffyFil3aidszGC8hgzJe+fT1qix05sWxmD/Bmf/oQ== @@ -14934,7 +14850,7 @@ make-fetch-happen@^10.0.3: socks-proxy-agent "^7.0.0" ssri "^9.0.0" -make-fetch-happen@^11.0.0, make-fetch-happen@^11.0.1, make-fetch-happen@^11.1.1: +make-fetch-happen@^11.0.0: version "11.1.1" resolved "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-11.1.1.tgz" integrity sha512-rLWS7GCSTcEujjVBs2YqG7Y4643u8ucvCJeSRqiLYhesrDuzeuFIk37xREzAsfQaqzl8b9rNCE4m6J8tvX4Q8w== @@ -14955,7 +14871,7 @@ make-fetch-happen@^11.0.0, make-fetch-happen@^11.0.1, make-fetch-happen@^11.1.1: socks-proxy-agent "^7.0.0" ssri "^10.0.0" -make-fetch-happen@^14.0.0, make-fetch-happen@^14.0.2, make-fetch-happen@^14.0.3: +make-fetch-happen@^14.0.0, make-fetch-happen@^14.0.3: version "14.0.3" resolved "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-14.0.3.tgz" integrity sha512-QMjGbFTP0blj97EeidG5hk/QhKQ3T4ICckQGLgz38QF7Vgbk6e6FTARN8KhKxyBbWn8R0HU+bnw8aSoFPD4qtQ== @@ -14972,6 +14888,24 @@ make-fetch-happen@^14.0.0, make-fetch-happen@^14.0.2, make-fetch-happen@^14.0.3: promise-retry "^2.0.1" ssri "^12.0.0" +make-fetch-happen@^15.0.1, make-fetch-happen@^15.0.4: + version "15.0.6" + resolved "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-15.0.6.tgz#079dee708c88a04a1f79735bb02789a63597840e" + integrity sha512-Je0fLJ0F5atA7F+eIlLzk+Wkcl57JDf4kf+EW8xiP5E31xOQxkIxTbgf1Oi1Lw9tRI9UEMRdI5Vz2xTzoNU1Jw== + dependencies: + "@gar/promise-retry" "^1.0.0" + "@npmcli/agent" "^4.0.0" + "@npmcli/redact" "^4.0.0" + cacache "^20.0.1" + http-cache-semantics "^4.1.1" + minipass "^7.0.2" + minipass-fetch "^5.0.0" + minipass-flush "^1.0.5" + minipass-pipeline "^1.2.4" + negotiator "^1.0.0" + proc-log "^6.0.0" + ssri "^13.0.0" + map-obj@^1.0.0: version "1.0.1" resolved "https://registry.npmjs.org/map-obj/-/map-obj-1.0.1.tgz" @@ -15260,7 +15194,7 @@ minimatch@^7.2.0, minimatch@^7.4.6: dependencies: brace-expansion "^2.0.1" -minimatch@^9.0.0, minimatch@^9.0.4, minimatch@^9.0.5: +minimatch@^9.0.0, minimatch@^9.0.4: version "9.0.5" resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz" integrity sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow== @@ -15328,6 +15262,17 @@ minipass-fetch@^4.0.0: optionalDependencies: encoding "^0.1.13" +minipass-fetch@^5.0.0: + version "5.0.2" + resolved "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-5.0.2.tgz#3973a605ddfd8abb865e50d6fc634853c8239729" + integrity sha512-2d0q2a8eCi2IRg/IGubCNRJoYbA1+YPXAzQVRFmB45gdGZafyivnZ5YSEfo3JikbjGxOdntGFvBQGqaSMXlAFQ== + dependencies: + minipass "^7.0.3" + minipass-sized "^2.0.0" + minizlib "^3.0.1" + optionalDependencies: + iconv-lite "^0.7.2" + minipass-flush@^1.0.5: version "1.0.5" resolved "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz" @@ -15357,6 +15302,13 @@ minipass-sized@^1.0.3: dependencies: minipass "^3.0.0" +minipass-sized@^2.0.0: + version "2.0.0" + resolved "https://registry.npmjs.org/minipass-sized/-/minipass-sized-2.0.0.tgz#2228ee97e3f74f6b22ba6d1319addb7621534306" + integrity sha512-zSsHhto5BcUVM2m1LurnXY6M//cGhVaegT71OfOXoprxT6o780GZd792ea6FfrQkuU4usHZIUczAQMRUE2plzA== + dependencies: + minipass "^7.1.2" + minipass@^3.0.0, minipass@^3.1.1, minipass@^3.1.6: version "3.3.6" resolved "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz" @@ -17421,7 +17373,7 @@ proc-log@^5.0.0: resolved "https://registry.npmjs.org/proc-log/-/proc-log-5.0.0.tgz" integrity sha512-Azwzvl90HaF0aCz1JrDdXQykFakSSNPaPoiZ9fm5qJIMHioDZEi7OAdRwSm6rSoPtY3Qutnm3L7ogmg3dc+wbQ== -proc-log@^6.0.0: +proc-log@^6.0.0, proc-log@^6.1.0: version "6.1.0" resolved "https://registry.npmjs.org/proc-log/-/proc-log-6.1.0.tgz#18519482a37d5198e231133a70144a50f21f0215" integrity sha512-iG+GYldRf2BQ0UDUAd6JQ/RwzaQy6mXmsk/IzlYyal4A4SNFw54MeH4/tLkF4I5WoWG9SQwuqWzS99jaFQHBuQ== @@ -18890,40 +18842,17 @@ signal-exit@^4.0.1, signal-exit@^4.1.0: resolved "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz" integrity sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw== -sigstore@^1.3.0: - version "1.9.0" - resolved "https://registry.npmjs.org/sigstore/-/sigstore-1.9.0.tgz" - integrity sha512-0Zjz0oe37d08VeOtBIuB6cRriqXse2e8w+7yIy2XSXjshRKxbc2KkhXjL229jXSxEm7UbcjS76wcJDGQddVI9A== - dependencies: - "@sigstore/bundle" "^1.1.0" - "@sigstore/protobuf-specs" "^0.2.0" - "@sigstore/sign" "^1.0.0" - "@sigstore/tuf" "^1.0.3" - make-fetch-happen "^11.0.1" - -sigstore@^3.0.0: - version "3.1.0" - resolved "https://registry.npmjs.org/sigstore/-/sigstore-3.1.0.tgz" - integrity sha512-ZpzWAFHIFqyFE56dXqgX/DkDRZdz+rRcjoIk/RQU4IX0wiCv1l8S7ZrXDHcCc+uaf+6o7w3h2l3g6GYG5TKN9Q== - dependencies: - "@sigstore/bundle" "^3.1.0" - "@sigstore/core" "^2.0.0" - "@sigstore/protobuf-specs" "^0.4.0" - "@sigstore/sign" "^3.1.0" - "@sigstore/tuf" "^3.1.0" - "@sigstore/verify" "^2.1.0" - -sigstore@^4.0.0: - version "4.0.0" - resolved "https://registry.npmjs.org/sigstore/-/sigstore-4.0.0.tgz" - integrity sha512-Gw/FgHtrLM9WP8P5lLcSGh9OQcrTruWCELAiS48ik1QbL0cH+dfjomiRTUE9zzz+D1N6rOLkwXUvVmXZAsNE0Q== +sigstore@4.1.1, sigstore@^1.3.0, sigstore@^3.0.0, sigstore@^4.0.0: + version "4.1.1" + resolved "https://registry.npmjs.org/sigstore/-/sigstore-4.1.1.tgz#2959993dbf978c759a5d23d854cbd3729b6dcd97" + integrity sha512-endqECJkfhozrXMK5ngu/UAA0xVcVEFdnHJCElGaExypjW+HK5i6zu3NteLoaX/iFbRUbC3+DjttQs0GARr+5w== dependencies: "@sigstore/bundle" "^4.0.0" - "@sigstore/core" "^3.0.0" + "@sigstore/core" "^3.2.1" "@sigstore/protobuf-specs" "^0.5.0" - "@sigstore/sign" "^4.0.0" - "@sigstore/tuf" "^4.0.0" - "@sigstore/verify" "^3.0.0" + "@sigstore/sign" "^4.1.1" + "@sigstore/tuf" "^4.0.2" + "@sigstore/verify" "^3.1.1" simple-cbor@^0.4.1: version "0.4.1" @@ -19293,6 +19222,13 @@ ssri@^10.0.0: dependencies: minipass "^7.0.3" +ssri@^13.0.0: + version "13.0.1" + resolved "https://registry.npmjs.org/ssri/-/ssri-13.0.1.tgz#2d8946614d33f4d0c84946bb370dce7a9379fd18" + integrity sha512-QUiRf1+u9wPTL/76GTYlKttDEBWV1ga9ZXW8BG6kfdeyyM8LGPix9gROyg9V2+P0xNyF3X2Go526xKFdMZrHSQ== + dependencies: + minipass "^7.0.3" + ssri@^9.0.0: version "9.0.1" resolved "https://registry.npmjs.org/ssri/-/ssri-9.0.1.tgz" @@ -20239,32 +20175,14 @@ tty-browserify@^0.0.1, tty-browserify@~0.0.0: resolved "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.1.tgz" integrity sha512-C3TaO7K81YvjCgQH9Q1S3R3P3BtN3RIM8n+OvX4il1K1zgE8ZhI0op7kClgkxtutIE8hQrcrHBXvIheqKUUCxw== -tuf-js@^1.1.7: - version "1.1.7" - resolved "https://registry.npmjs.org/tuf-js/-/tuf-js-1.1.7.tgz" - integrity sha512-i3P9Kgw3ytjELUfpuKVDNBJvk4u5bXL6gskv572mcevPbSKCV3zt3djhmlEQ65yERjIbOSncy7U4cQJaB1CBCg== - dependencies: - "@tufjs/models" "1.0.4" - debug "^4.3.4" - make-fetch-happen "^11.1.1" - -tuf-js@^3.0.1: - version "3.1.0" - resolved "https://registry.npmjs.org/tuf-js/-/tuf-js-3.1.0.tgz" - integrity sha512-3T3T04WzowbwV2FDiGXBbr81t64g1MUGGJRgT4x5o97N+8ArdhVCAF9IxFrxuSJmM3E5Asn7nKHkao0ibcZXAg== - dependencies: - "@tufjs/models" "3.0.1" - debug "^4.4.1" - make-fetch-happen "^14.0.3" - -tuf-js@^4.0.0: - version "4.0.0" - resolved "https://registry.npmjs.org/tuf-js/-/tuf-js-4.0.0.tgz" - integrity sha512-Lq7ieeGvXDXwpoSmOSgLWVdsGGV9J4a77oDTAPe/Ltrqnnm/ETaRlBAQTH5JatEh8KXuE6sddf9qAv1Q2282Hg== +tuf-js@^4.1.0: + version "4.1.0" + resolved "https://registry.npmjs.org/tuf-js/-/tuf-js-4.1.0.tgz#ae4ef9afa456fcb4af103dc50a43bc031f066603" + integrity sha512-50QV99kCKH5P/Vs4E2Gzp7BopNV+KzTXqWeaxrfu5IQJBOULRsTIS9seSsOVT8ZnGXzCyx55nYWAi4qJzpZKEQ== dependencies: - "@tufjs/models" "4.0.0" - debug "^4.4.1" - make-fetch-happen "^15.0.0" + "@tufjs/models" "4.1.0" + debug "^4.4.3" + make-fetch-happen "^15.0.1" tunnel-agent@^0.6.0: version "0.6.0"