Skip to content

chore(deps): upgrade sigstore to v4#7208

Open
mhassan1 wants to merge 1 commit into
yarnpkg:masterfrom
mhassan1:bump-sigstore
Open

chore(deps): upgrade sigstore to v4#7208
mhassan1 wants to merge 1 commit into
yarnpkg:masterfrom
mhassan1:bump-sigstore

Conversation

@mhassan1

@mhassan1 mhassan1 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What's the problem this PR addresses?

This PR bumps vulnerable dependency sigstore from v3 to v4, which resolves GHSA-52v5-jr5w-gjxr, GHSA-jfc7-64v2-mr8c, and GHSA-xgjw-pm74-86q4.

Changelog: https://github.com/sigstore/sigstore-js/blob/main/packages/client/CHANGELOG.md#400

How did you fix it?

I bumped sigstore in package.json.

Checklist

  • I have read the Contributing Guide.

  • I have set the packages that need to be released for my changes to be effective.

  • I will check that all automated PR checks pass before the PR gets reviewed.

"micromatch": "^4.0.2",
"semver": "^7.1.2",
"sigstore": "^3.1.0",
"sigstore": "^4.1.1",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sigstore@4 drops support for node 18; is that going to be a problem?

@mhassan1

mhassan1 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@arcanis Please take a look, when you have a chance. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant