Skip to content

chore(deps): bump sigstore and lerna#7881

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-3403eada2d
Open

chore(deps): bump sigstore and lerna#7881
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-3403eada2d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps sigstore to 4.1.1 and updates ancestor dependency lerna. These dependencies need to be updated together.

Updates sigstore from 2.3.1 to 4.1.1

Release notes

Sourced from sigstore's releases.

sigstore@4.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
  • Updated dependencies [7845532]
  • Updated dependencies [f074710]
    • @​sigstore/core@​3.2.1
    • @​sigstore/verify@​3.1.1

sigstore@4.1.0

Minor Changes

  • eba6a52: verify(bundle[, payload][, options]) now returns a Signer object containing the public key and identity information from the verification.

Patch Changes

  • Updated dependencies [cee51c0]
  • Updated dependencies [2042aad]
  • Updated dependencies [018974e]
  • Updated dependencies [dea916f]
  • Updated dependencies [61a4f9e]
  • Updated dependencies [5ffadc0]
  • Updated dependencies [5ffadc0]
  • Updated dependencies [1663b3e]
    • @​sigstore/tuf@​4.0.1
    • @​sigstore/verify@​3.1.0
    • @​sigstore/sign@​4.1.0
    • @​sigstore/core@​3.1.0

sigstore@4.0.0

Major Changes

  • 383e200: Drop support for node 18

Patch Changes

  • Updated dependencies [40395f5]
  • Updated dependencies [383e200]
  • Updated dependencies [383e200]
  • Updated dependencies [383e200]
    • @​sigstore/tuf@​4.0.0
    • @​sigstore/sign@​4.0.0
    • @​sigstore/bundle@​4.0.0
    • @​sigstore/verify@​3.0.0
    • @​sigstore/core@​3.0.0

sigstore@3.1.0

Minor Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for sigstore since your current version.


Updates lerna from 8.2.4 to 9.0.7

Release notes

Sourced from lerna's releases.

v9.0.7

9.0.7 (2026-03-13)

Bug Fixes

  • core: normalize ./ prefix in workspace globs for package detection (#4308) (bd39779)
  • core: remove multimatch dependency and legacy-core internals (#4314) (ec01462)
  • version: skip config resolution in prettier getFileInfo check (#4306) (ae53efe)
  • version: support ESM and new v8+ conventional-changelog preset API (#4302) (575b248)

v9.0.6

9.0.6 (2026-03-11)

Bug Fixes

v9.0.5

9.0.5 (2026-02-28)

Bug Fixes

v9.0.4

9.0.4 (2026-02-10)

Bug Fixes

  • bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

v9.0.3

9.0.3 (2025-11-27)

Bumped some dependencies to reduce audit warning noise.

NOTE: 9.0.2 does not exist because of a failed release

v9.0.1

9.0.1 (2025-11-14)

Bug Fixes

  • expand version range to include nx v22.x (#4242) (0cca286)

... (truncated)

Changelog

Sourced from lerna's changelog.

9.0.7 (2026-03-13)

Bug Fixes

  • core: remove multimatch dependency and legacy-core internals (#4314) (ec01462)

9.0.6 (2026-03-11)

Bug Fixes

9.0.5 (2026-02-28)

Bug Fixes

9.0.4 (2026-02-10)

Bug Fixes

  • bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

9.0.3 (2025-11-27)

Note: Version bump only for package lerna

9.0.2 (2025-11-27)

Note: Version bump only for package lerna

9.0.1 (2025-11-14)

Bug Fixes

  • expand version range to include nx v22.x (#4242) (0cca286)

9.0.0 (2025-09-23)

Bug Fixes

  • publish: ensure README file names are populated on package.json (#4211) (362875d)

Features

  • support OIDC trusted publishing (d51e344)

... (truncated)

Commits
  • 4322536 chore(misc): publish 9.0.7
  • ec01462 fix(core): remove multimatch dependency and legacy-core internals (#4314)
  • 538bf1a chore(deps): replace write-pkg with internal writePackage utility (#4313)
  • ebf6729 chore(deps): remove set-blocking, is-stream, get-port (#4311)
  • 76ad78b chore(deps): replace uuid, pify, temp-dir with native Node.js APIs (#4310)
  • 5ad1cf8 chore(deps): replace make-dir, rimraf, resolve-from with native Node.js APIs ...
  • bb30d88 chore(misc): publish 9.0.6
  • c15070b refactor(create): consolidate @​lerna/create into the main lerna package (#4300)
  • 7a69a57 fix(deps): bump tar from 7.5.8 to 7.5.11 (#4296)
  • b768187 fix(deps): add missing ci-info dependency (#4263)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 13, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 13, 2026 16:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 13, 2026
Bumps [sigstore](https://github.com/sigstore/sigstore-js) to 4.1.1 and updates ancestor dependency [lerna](https://github.com/lerna/lerna/tree/HEAD/packages/lerna). These dependencies need to be updated together.


Updates `sigstore` from 2.3.1 to 4.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@2.3.1...sigstore@4.1.1)

Updates `lerna` from 8.2.4 to 9.0.7
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/packages/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/v9.0.7/packages/lerna)

---
updated-dependencies:
- dependency-name: lerna
  dependency-version: 9.0.7
  dependency-type: direct:production
- dependency-name: sigstore
  dependency-version: 4.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-3403eada2d branch from 4c616f0 to 2e85ae3 Compare July 13, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants