[DEPENDENCY] Bump @sigstore/core and pacote

[dependabot]

Bumps @sigstore/core to 4.0.1 and updates ancestor dependency pacote. These dependencies need to be updated together.

Updates @sigstore/core from 2.0.0 to 4.0.1

Release notes

Sourced from @​sigstore/core's releases.

@​sigstore/core@​4.0.1

Patch Changes

• 04ea25a: ASN.1 parser hardening

@​sigstore/core@​4.0.0

Major Changes

• 46c00b3: Drop support for Node 20

@​sigstore/core@​3.2.1

Patch Changes

• b5aa4f1: Apply UTF-8 encoding to payload type during PAE calculation

@​sigstore/core@​3.2.0

Minor Changes

• 8f736ef: Update the createPublicKey function to support base64-encoded keys

@​sigstore/core@​3.0.0

Major Changes

• 383e200: Drop support for node 18

Commits

• d406ea6 Version Packages (#1676)
• 4245d6f Bump the prod-deps group across 1 directory with 11 updates (#1691)
• 85c5838 Merge commit from fork
• a063789 Bump actions/checkout from 6.0.3 to 7.0.0 (#1686)
• 46a180c Bump the dev-deps group with 3 updates (#1688)
• 6e64be8 Bump form-data from 4.0.4 to 4.0.6 (#1684)
• 87ad7f1 Bump the prod-deps group across 1 directory with 12 updates (#1685)
• bdaedac Bump the dev-deps group across 1 directory with 5 updates (#1683)
• 98fac89 Bump the minor-patch group across 1 directory with 2 updates (#1681)
• 754e2a3 Support DSSE bundles with Rekor v2 hashedrekord entries (#1677)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​sigstore/core since your current version.

Updates pacote from 19.0.2 to 22.0.0

Release notes

Sourced from pacote's releases.

v22.0.0

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@​manzoorwanijk)
• 66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@​owlstronaut)
• 1f5f131 #494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@​oldium)

Dependencies

• 371e8b0 #504 ssri@14.0.0
• b68c6c2 #504 sigstore@5.0.0
• 57793ab #504 proc-log@7.0.0
• 33eacc9 #504 npm-registry-fetch@20.0.1
• a131916 #504 npm-pick-manifest@12.0.0
• 2b03527 #504 npm-packlist@11.2.0
• 5f8ad42 #504 npm-package-arg@14.0.0
• ee3b96d #504 cacache@21.0.1
• 033f655 #504 @npmcli/run-script@11.0.0
• ddcc738 #504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #504 @npmcli/package-json@8.0.0
• 5879416 #504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #504 template-oss-apply (@​owlstronaut)
• e9ac85e #501 template-oss-apply (@​owlstronaut)
• e184356 #501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #479 template-oss-apply (@​owlstronaut)
• ee64bea #479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

v21.5.1

21.5.1 (2026-06-09)

Bug Fixes

• 627a7dc #499 avoid ReDoS in addGitSha committish stripping (@​owlstronaut)

Chores

• 790a24b #500 template-oss-apply (#500) (@​owlstronaut, test)
• 09cb304 #499 template-oss-apply (@​owlstronaut)
• bea9f84 #499 @npmcli/template-oss@5.1.0 (@​owlstronaut)

v21.5.0

21.5.0 (2026-03-09)

... (truncated)

Changelog

Sourced from pacote's changelog.

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@​manzoorwanijk)
• 66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@​owlstronaut)
• 1f5f131 #494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@​oldium)

Dependencies

• 371e8b0 #504 ssri@14.0.0
• b68c6c2 #504 sigstore@5.0.0
• 57793ab #504 proc-log@7.0.0
• 33eacc9 #504 npm-registry-fetch@20.0.1
• a131916 #504 npm-pick-manifest@12.0.0
• 2b03527 #504 npm-packlist@11.2.0
• 5f8ad42 #504 npm-package-arg@14.0.0
• ee3b96d #504 cacache@21.0.1
• 033f655 #504 @npmcli/run-script@11.0.0
• ddcc738 #504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #504 @npmcli/package-json@8.0.0
• 5879416 #504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #504 template-oss-apply (@​owlstronaut)
• e9ac85e #501 template-oss-apply (@​owlstronaut)
• e184356 #501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #479 template-oss-apply (@​owlstronaut)
• ee64bea #479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

... (truncated)

Commits

• e4e44c5 chore: release 22.0.0 (#480)
• 3fc5fd4 chore: @​npmcli/eslint-config@​7.0.0
• 371e8b0 deps: ssri@14.0.0
• b68c6c2 deps: sigstore@5.0.0
• 57793ab deps: proc-log@7.0.0
• 33eacc9 deps: npm-registry-fetch@20.0.1
• a131916 deps: npm-pick-manifest@12.0.0
• 2b03527 deps: npm-packlist@11.2.0
• 5f8ad42 deps: npm-package-arg@14.0.0
• 7350ab8 chore: hosted-git-info@10.1.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.