CHANGELOG.md

Changelog

18.0.2 (2024-04-24)

Bug Fixes

• 116b277 #358 don't strip underscore attributes in .manifest() (#358) (@wraithgar)

18.0.1 (2024-04-23)

Bug Fixes

• b547e0d #356 use @npmcli/package-json (#356) (@lukekarrys)

18.0.0 (2024-04-15)

⚠️ BREAKING CHANGES

• The silent option was used to control whether @npmcli/run-script would write a banner via console.log. Now ouput will be emitted via an process.emit('output').

Features

• 0c04569 #352 remove silent option (@lukekarrys)

Dependencies

• cb3abc2 #352 bump @npmcli/run-script from 7.0.4 to 8.0.0 (@dependabot[bot])

Chores

• 7089bb1 #355 postinstall for dependabot template-oss PR (@lukekarrys)
• 4952672 #355 bump @npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

17.0.7 (2024-04-12)

Dependencies

• e07c3e5 #350 proc-log@4.0.0 (#350)

17.0.6 (2024-01-16)

Dependencies

• 0a5920f #343 bump sigstore from 2.0.0 to 2.2.0 (#343) (@bdehamer)

Chores

• 6fd23ad #342 postinstall for dependabot template-oss PR (@lukekarrys)
• c3b398a #342 bump @npmcli/template-oss from 4.21.1 to 4.21.3 (@dependabot[bot])
• 4557919 #337 postinstall for dependabot template-oss PR (@lukekarrys)
• c7e293c #337 bump @npmcli/template-oss from 4.19.0 to 4.21.1 (@dependabot[bot])

17.0.5 (2023-12-01)

Bug Fixes

• 0c96b9e #338 bug to support rotated keys in signature/attestation audit (#338) (@feelepxyz)

17.0.4 (2023-08-30)

Dependencies

• ba8f790 #309 bump @npmcli/promise-spawn from 6.0.2 to 7.0.0
• 2c0d3ae #308 bump @npmcli/run-script from 6.0.2 to 7.0.0

17.0.3 (2023-08-24)

Dependencies

• ace7c28 #305 bump npm-packlist from 7.0.4 to 8.0.0

17.0.2 (2023-08-18)

Dependencies

• c3b892d #303 bump sigstore from 1.3.0 to 2.0.0

17.0.1 (2023-08-15)

Dependencies

• 6ddae13 #302 bump npm-registry-fetch from 15.0.0 to 16.0.0
• 42bf787 #300 bump npm-pick-manifest from 8.0.2 to 9.0.0

17.0.0 (2023-08-15)

⚠️ BREAKING CHANGES

• support for node <=16.13 has been removed

Bug Fixes

• 2db2fb5 #296 drop node 16.13.x support (@lukekarrys)

Dependencies

• e9e964b #299 bump read-package-json from 6.0.4 to 7.0.0
• 5d26500 #298 bump npm-package-arg from 10.1.0 to 11.0.0
• d13bb9c #294 bump @npmcli/git from 4.1.0 to 5.0.0
• 7a25e39 #293 bump cacache from 17.1.4 to 18.0.0

16.0.0 (2023-07-28)

⚠️ BREAKING CHANGES

• the underlying fetch module now uses @npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.
• support for node 14 has been removed

Bug Fixes

• 73b6297 #290 drop node14 support (#290) (@wraithgar)

Dependencies

• 8dc6a32 bump minipass from 5.0.0 to 7.0.2
• 7cebf19 bump npm-registry-fetch from 14.0.5 to 15.0.0

15.2.0 (2023-05-03)

Features

• 3307ad9 #278 configurable TUF cache dir (#278) (@bdehamer)

15.1.3 (2023-04-27)

Dependencies

• c99db13 #271 bump minipass from 4.2.7 to 5.0.0 (#271)

15.1.2 (2023-04-20)

Documentation

• 43363dd #266 update dist details (#266) (@wraithgar)

Dependencies

• d5cb3df #276 sigstore@1.3.0 (#276)
• c231986 #267 sigstore@^1.1.0

15.1.1 (2023-02-21)

Bug Fixes

• 8f4e39c #261 always ignore ownership from tar headers (#261) (@nlf)

15.1.0 (2023-02-13)

Features

• 2916b72 #259 verifyAttestations to registry.manifest (@feelepxyz, @bdehamer)

Dependencies

• f0bd19b add sigstore 1.0.0

15.0.8 (2022-12-14)

Dependencies

• 40aa6fe #253 bump fs-minipass from 2.1.0 to 3.0.0

15.0.7 (2022-12-07)

Dependencies

• a734d61 #250 bump minipass from 3.3.6 to 4.0.0

15.0.6 (2022-11-02)

Dependencies

• dbbda43 #246 @npmcli/run-script@6.0.0

15.0.5 (2022-11-01)

Dependencies

• 63797a8 #244 bump @npmcli/promise-spawn from 5.0.0 to 6.0.1 (#244)

15.0.4 (2022-10-26)

Dependencies

• 854fad1 #239 bump @npmcli/promise-spawn from 4.0.0 to 5.0.0 (#239)

15.0.3 (2022-10-19)

Dependencies

• 2a95ddb #235 bump @npmcli/installed-package-contents (#235)

15.0.2 (2022-10-18)

Bug Fixes

• 95f9cd5 handle new npm-package-arg semantics (@wraithgar)

Dependencies

• 2ed4d22 npm-package-arg@10.0.0

15.0.1 (2022-10-17)

Dependencies

• 74821c2 #229 bump @npmcli/run-script from 4.2.1 to 5.0.0 (#229)
• a9844d0 #226 bump @npmcli/promise-spawn from 3.0.0 to 4.0.0 (#226)
• 1058177 #227 bump read-package-json from 5.0.2 to 6.0.0
• 0f5ef8a #228 bump @npmcli/installed-package-contents from 1.0.7 to 2.0.0
• 7e3b4b5 #220 bump ssri from 9.0.1 to 10.0.0
• 4e7536d #222 bump @npmcli/git from 3.0.2 to 4.0.0
• 3bc7550 #223 bump npm-pick-manifest from 7.0.2 to 8.0.0
• 41fab27 #224 bump proc-log from 2.0.1 to 3.0.0
• 4abf24a #218 bump npm-registry-fetch from 13.3.1 to 14.0.0 (#218)

15.0.0 (2022-10-13)

⚠️ BREAKING CHANGES

• this package no longer attempts to change file ownership automatically

Features

• 43ae022 #216 do not alter file ownership (#216) (@nlf)

Dependencies

• 2ac3980 #213 bump read-package-json-fast from 2.0.3 to 3.0.0

14.0.0 (2022-10-05)

Features

• ee16f1f #207 set as release (@fritzy)

14.0.0-pre.3 (2022-09-28)

⚠️ BREAKING CHANGES

• a @npmcli/arborist constructor must be passed in if no tree is provided and pacote is going to operate on git dependencies.

Features

• d6ef5dc #204 require arborist constructor to be passed in for preparing git dirs (#204) (@lukekarrys)

14.0.0-pre.2 (2022-09-27)

⚠️ BREAKING CHANGES

• pacote now has a peer dependency on @npmcli/arborist.

Features

• d3517fd #202 pacote now optionally takes a tree when preparing directories (@lukekarrys)

14.0.0-pre.1 (2022-09-22)

⚠️ BREAKING CHANGES

• the _cached attribute has been removed from packuments.

Bug Fixes

• 8ca3751 #175 packument: eliminate _cached field (#175) (@jablko)

14.0.0-pre.0 (2022-09-21)

⚠️ BREAKING CHANGES

• npm-packlist@6.0.0
• pacote is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Features

• 72e9be4 #197 postinstall for dependabot template-oss PR (@lukekarrys)

Dependencies

• 1216ec6 #200 npm-packlist@6.0.0

13.6.2 (2022-08-16)

Bug Fixes

• linting (#187) (cf1c5ed)

13.6.1 (2022-06-21)

Dependencies

• bump @npmcli/run-script from 3.0.3 to 4.1.0 (#185) (d0459ec)

13.6.0 (2022-06-01)

Features

• allow reuse of external integrity stream (fdb9e5a)
• replaceRegistryHost can now be a hostname (#177) (a9a4cdd)

Bug Fixes

• error when passing signature without keys (#176) (d69e524)

Documentation

• add some fields to the README (#180) (f356cb2)

13.5.0 (2022-05-25)

Features

• bump npm-packlist for workspace awareness (#178) (316059b)

13.4.1 (2022-05-19)

Bug Fixes

• pass prefix and workspaces to npm-packlist (#173) (6de3a2b)

13.4.0 (2022-05-17)

Features

• add verifySignatures to registry.manifest (#170) (4401c58)

13.3.0 (2022-05-04)

Features

• add _signatures to manifest (3ae73f2)

13.2.0 (2022-05-02)

Features

• add always option to replaceRegistryHost (#164) (edd1ee5)

13.1.1 (2022-04-06)

Dependencies

• bump npm-packlist from 4.0.0 to 5.0.0 (#159) (d7f07d6)

13.1.0 (2022-04-05)

Features

• add option to not replace magic registry host (#143) (f519cf4)

13.0.6 (2022-04-05)

Bug Fixes

• replace deprecated String.prototype.substr() (e307e17)

Dependencies

• bump @npmcli/promise-spawn from 1.3.2 to 3.0.0 (#154) (9a0ec63)
• bump ssri from 8.0.1 to 9.0.0 (#157) (0993b18)

13.0.5 (2022-03-15)

Dependencies

• bump read-package-json from 4.1.2 to 5.0.0 (#138) (f28c891)

13.0.4 (2022-03-14)

Dependencies

• bump cacache from 15.3.0 to 16.0.0 (#136) (ed3a069)
• bump npm-packlist from 3.0.0 to 4.0.0 (#132) (1634e9d)
• update @npmcli/run-script requirement from ^3.0.0 to ^3.0.1 (#130) (7c84792)
• update npm-registry-fetch requirement from ^13.0.0 to ^13.0.1 (#129) (d639ed6)
• update read-package-json requirement from ^4.1.1 to ^4.1.2 (#134) (31093a1)

13.0.3 (2022-02-23)

Bug Fixes

• ignore integrity values for git dependencies (#123) (3417714)

Dependencies

• bump @npmcli/run-script from 2.0.0 to 3.0.0 (#124) (6026b73)

13.0.2 (2022-02-16)

Bug Fixes

• run prepack lifecycle scripts on git fetcher (#121) (82d8afc)

Dependencies

• bump @npmcli/git from 2.1.0 to 3.0.0 (#120) (56d0c62)

13.0.1 (2022-02-16)

Bug Fixes

• reify git dependencies that have workspaces (#103) (08348fa)

Dependencies

• bump npm-registry-fetch from 12.0.2 to 13.0.0 (#118) (25eeb97)

13.0.0 (2022-02-14)

⚠ BREAKING CHANGES

• It replaces the only use of npmlog.level with a boolean silent which is now used to to suppress @npmcli/run-script banners instead.

Features

• add fullReadJson option (#101) (2ddf67f)
• use proc-log and drop support for log property (#104) (26e01b0)

Dependencies

• bump npm-package-arg from 8.1.5 to 9.0.0 (#113) (5b3b82d)
• bump npm-pick-manifest from 6.1.1 to 7.0.0 (3940b46)
• update @npmcli/installed-package-contents requirement (0413eff)
• update cacache requirement from ^15.0.5 to ^15.3.0 (#112) (0321cf0)
• update minipass requirement from ^3.1.3 to ^3.1.6 (#115) (9548c8c)
• update mkdirp requirement from ^1.0.3 to ^1.0.4 (c204aa2)
• update npm-registry-fetch requirement from ^12.0.0 to ^12.0.2 (97e7ab5)
• update read-package-json-fast requirement from ^2.0.1 to ^2.0.3 (be32161)
• update tar requirement from ^6.1.0 to ^6.1.11 (#107) (650e188)