Skip to content

Bump the npm-dependencies-security group across 1 directory with 4 updates#3869

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-dependencies-security-1805d121b2
Open

Bump the npm-dependencies-security group across 1 directory with 4 updates#3869
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-dependencies-security-1805d121b2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-dependencies-security group with 4 updates in the / directory: @sigstore/core, @sigstore/verify, shell-quote and sigstore.

Updates @sigstore/core from 3.2.0 to 3.2.1

Release notes

Sourced from @​sigstore/core's releases.

@​sigstore/core@​3.2.1

Patch Changes

  • b5aa4f1: Apply UTF-8 encoding to payload type during PAE calculation
Commits

Updates @sigstore/verify from 3.1.0 to 3.1.1

Release notes

Sourced from @​sigstore/verify's releases.

@​sigstore/verify@​3.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
    • @​sigstore/core@​3.2.1
Commits

Updates shell-quote from 1.8.1 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

v1.8.2 - 2024-11-27

Fixed

Commits

  • [meta] fix changelog tags 0fb9fd8
  • [actions] split out node 10-20, and 20+ 819bd84
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
  • [actions] update npm for windows tests fdeb0fd
  • [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
  • [actions] prevent node 14 on ARM mac from failing 9eecafc
  • [meta] exclude more files from the package 4044e7f
  • [Tests] replace aud with npm audit 8cfdbd8
  • [meta] add missing engines.node 843820e
  • [Dev Deps] add missing peer dep 4c3b88d
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view

Updates sigstore from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore's releases.

sigstore@4.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
  • Updated dependencies [7845532]
  • Updated dependencies [f074710]
    • @​sigstore/core@​3.2.1
    • @​sigstore/verify@​3.1.1
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates

Bumps the npm-dependencies-security group with 4 updates in the / directory: [@sigstore/core](https://github.com/sigstore/sigstore-js), [@sigstore/verify](https://github.com/sigstore/sigstore-js), [shell-quote](https://github.com/ljharb/shell-quote) and [sigstore](https://github.com/sigstore/sigstore-js).


Updates `@sigstore/core` from 3.2.0 to 3.2.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/@sigstore/core@3.2.0...@sigstore/core@3.2.1)

Updates `@sigstore/verify` from 3.1.0 to 3.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@3.1.0...@sigstore/verify@3.1.1)

Updates `shell-quote` from 1.8.1 to 1.9.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.1...v1.9.0)

Updates `sigstore` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@4.1.0...sigstore@4.1.1)

---
updated-dependencies:
- dependency-name: "@sigstore/core"
  dependency-version: 3.2.1
  dependency-type: indirect
  dependency-group: npm-dependencies-security
- dependency-name: "@sigstore/verify"
  dependency-version: 3.1.1
  dependency-type: indirect
  dependency-group: npm-dependencies-security
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: indirect
  dependency-group: npm-dependencies-security
- dependency-name: sigstore
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm-dependencies-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 3, 2026
@dependabot dependabot Bot requested a review from KoolADE85 as a code owner July 3, 2026 16:36
@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jul 3, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants