fix(deps): update dependency pacote to v22

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
pacote	^12.0.0 → ^22.0.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

npm/pacote (pacote)

v22.0.0

Compare Source

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #​504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #​497 strip patchedDependencies from the packed package.json (#​497) (@​manzoorwanijk)
• 66e7ea7 #​487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #​498 avoid ReDoS in addGitSha committish stripping (#​498) (@​owlstronaut)
• 1f5f131 #​494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #​486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #​481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #​481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #​434 do not switch to git+ssh for https repository links (#​434) (@​oldium)

Dependencies

• 371e8b0 #​504 ssri@14.0.0
• b68c6c2 #​504 sigstore@5.0.0
• 57793ab #​504 proc-log@7.0.0
• 33eacc9 #​504 npm-registry-fetch@20.0.1
• a131916 #​504 npm-pick-manifest@12.0.0
• 2b03527 #​504 npm-packlist@11.2.0
• 5f8ad42 #​504 npm-package-arg@14.0.0
• ee3b96d #​504 cacache@21.0.1
• 033f655 #​504 @npmcli/run-script@11.0.0
• ddcc738 #​504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #​504 @npmcli/package-json@8.0.0
• 5879416 #​504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #​504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #​504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #​504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #​504 template-oss-apply (@​owlstronaut)
• e9ac85e #​501 template-oss-apply (@​owlstronaut)
• e184356 #​501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #​479 template-oss-apply (@​owlstronaut)
• ee64bea #​479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

v21.5.1

Compare Source

Bug Fixes

• 627a7dc #​499 avoid ReDoS in addGitSha committish stripping (@​owlstronaut)

Chores

• 790a24b #​500 template-oss-apply (#​500) (@​owlstronaut, test)
• 09cb304 #​499 template-oss-apply (@​owlstronaut)
• bea9f84 #​499 @npmcli/template-oss@5.1.0 (@​owlstronaut)

v21.5.0

Compare Source

Features

• d912f17 #​457 expose fetched attestation bundles on manifest (#​457) (@​mitchdenny)

Chores

• 586a55d #​471 template-oss-apply for new macos images (#​471) (@​wraithgar)
• d1cc5c8 #​460 template-oss-apply for release branches (#​460) (@​wraithgar)
• b741e8b #​468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#​468) (@​dependabot[bot], @​npm-cli-bot)

v21.4.0

Compare Source

Features

• 6912f24 #​451 add allowRegistry option (#​451) (@​wraithgar)

Bug Fixes

• ab37bc1 #​452 prevent path duplication in attestation URL for registries with … (#​452) (@​ajayk)
• ab37bc1 #​452 prevent path duplication in attestation URL for registries with (@​ajayk)
• 8b8ea3b #​454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#​454) (@​ajayk)
• 8b8ea3b #​454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@​ajayk)

Chores

• 0dfd1cd #​456 remove git config from tests (#​456) (@​wraithgar)

v21.3.1

Compare Source

Bug Fixes

• 96e571a #​439 ensure that resolved git ref matches expected sha (#​439) (@​klassiker, pacotedev)

Chores

• 91847c4 #​447 fix test for ssri ignoring invalid hashes (#​447) (@​wraithgar)

v21.3.0

Compare Source

Features

• 8f5091d #​445 add support for git-256 sha lengths (#​445) (@​wraithgar)

v21.2.0

Compare Source

Features

• db21624 #​442 implement gitSubdir according to npa spec (#​442) (@​Kakadus)
• c2a4217 #​443 add allowRemote, allowFile, allowDirectory (#​443) (@​wraithgar)

v21.1.0

Compare Source

Features

• 258e5fd #​440 add allowGit option (#​440) (@​wraithgar)

v21.0.4

Compare Source

Dependencies

• edbcc02 #​436 proc-log@6.0.0
• 8dc1f22 #​436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #​436 ssri@13.0.0
• a23fb17 #​436 @npmcli/promise-spawn@9.0.0

Chores

• ff261aa #​436 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 2bba862 #​436 @npmcli/template-oss@4.28.0 (@​wraithgar)

v21.0.3

Compare Source

Dependencies

• eed1bd5 #​431 @npmcli/git@7.0.0 (#​431)

v21.0.2

Compare Source

Dependencies

• 32cb6d1 #​429 npm-pick-manifest@11.0.1 (#​429)

v21.0.1

Compare Source

Dependencies

• aae7798 #​428 @npmcli/run-script@10.0.0
• 1b233e3 #​428 @npmcli/package-json@7.0.0
• d4b97ec #​428 sigstore@4.0.0
• cf27487 #​428 npm-registry-fetch@19.0.0
• 3e89235 #​428 npm-packlist@10.0.1
• d46fc27 #​428 npm-package-arg@13.0.0
• 2a6a9f0 #​428 hosted-git-info@9.0.0
• bbb72cf #​428 cacache@20.0.0
• 8a642c0 #​426 tar@7.4.3 (#​426)

Chores

• f81d8ed #​417 bump @​npmcli/arborist from 8.0.0 to 9.0.0 (#​417) (@​dependabot[bot])
• 0310b7b #​422 tests should not inherit --ignore-scripts flag from `npm run t… (#​422) (@​owlstronaut)

v21.0.0

Compare Source

⚠️ BREAKING CHANGES

• bun.lockb files are now included in the strict ignore list during packing
• this module is now compatible with the following node versions: ^20.17.0 || >=22.9.0

Bug Fixes

• 844dc08 update node engines to ^20.17.0 || >=22.9.0 (#​414) (@​wraithgar)

Dependencies

• 2cb6fa7 #​415 npm-packlist@10.0.0 (#​415)
• 47b928c #​412 replace node builtin rmSync with rimraf (#​412) (@​mbtools)

Chores

• b6f35a2 #​402 bump @​npmcli/arborist from 7.5.4 to 8.0.0 (#​402) (@​dependabot[bot])
• 1ef54ba #​408 support tests on win32 (#​408) (@​mbtools)
• 555b000 #​401 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#​401) (@​dependabot[bot], @​npm-cli-bot)

v20.0.1

Compare Source

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #​504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #​497 strip patchedDependencies from the packed package.json (#​497) (@​manzoorwanijk)
• 66e7ea7 #​487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #​498 avoid ReDoS in addGitSha committish stripping (#​498) (@​owlstronaut)
• 1f5f131 #​494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #​486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #​481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #​481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #​434 do not switch to git+ssh for https repository links (#​434) (@​oldium)

Dependencies

• 371e8b0 #​504 ssri@14.0.0
• b68c6c2 #​504 sigstore@5.0.0
• 57793ab #​504 proc-log@7.0.0
• 33eacc9 #​504 npm-registry-fetch@20.0.1
• a131916 #​504 npm-pick-manifest@12.0.0
• 2b03527 #​504 npm-packlist@11.2.0
• 5f8ad42 #​504 npm-package-arg@14.0.0
• ee3b96d #​504 cacache@21.0.1
• 033f655 #​504 @npmcli/run-script@11.0.0
• ddcc738 #​504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #​504 @npmcli/package-json@8.0.0
• 5879416 #​504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #​504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #​504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #​504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #​504 template-oss-apply (@​owlstronaut)
• e9ac85e #​501 template-oss-apply (@​owlstronaut)
• e184356 #​501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #​479 template-oss-apply (@​owlstronaut)
• ee64bea #​479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

v20.0.0

Compare Source

Dependencies

• aae7798 #​428 @npmcli/run-script@10.0.0
• 1b233e3 #​428 @npmcli/package-json@7.0.0
• d4b97ec #​428 sigstore@4.0.0
• cf27487 #​428 npm-registry-fetch@19.0.0
• 3e89235 #​428 npm-packlist@10.0.1
• d46fc27 #​428 npm-package-arg@13.0.0
• 2a6a9f0 #​428 hosted-git-info@9.0.0
• bbb72cf #​428 cacache@20.0.0
• 8a642c0 #​426 tar@7.4.3 (#​426)

Chores

• f81d8ed #​417 bump @​npmcli/arborist from 8.0.0 to 9.0.0 (#​417) (@​dependabot[bot])
• 0310b7b #​422 tests should not inherit --ignore-scripts flag from `npm run t… (#​422) (@​owlstronaut)

v19.0.2

Compare Source

Dependencies

• bf6e354 #​459 tar@7.5.10

Chores

• b7f2691 #​465 enable backport mode for v19 (#​465) (@​wraithgar)
• ed1aef0 #​459 tests should not inherit --ignore-scripts flag from `npm run t… (#​422) (@​owlstronaut)
• 415e369 #​459 @npmcli/template-oss@4.29.0 (@​wraithgar)

v19.0.1

Compare Source

Bug Fixes

• cbf94e8 #​389 prepare script respects scriptshell config (#​389) (@​milaninfy)
• 2b2948f #​403 log tarball retrieval from cache (#​403) (@​mbtools, @​wraithgar)

Dependencies

• a9fc4d1 #​405 bump sigstore from 2.2.0 to 3.0.0 (#​405) (@​bdehamer)

v19.0.0

Compare Source

Dependencies

• aae7798 #​428 @npmcli/run-script@10.0.0
• 1b233e3 #​428 @npmcli/package-json@7.0.0
• d4b97ec #​428 sigstore@4.0.0
• cf27487 #​428 npm-registry-fetch@19.0.0
• 3e89235 #​428 npm-packlist@10.0.1
• d46fc27 #​428 npm-package-arg@13.0.0
• 2a6a9f0 #​428 hosted-git-info@9.0.0
• bbb72cf #​428 cacache@20.0.0
• 8a642c0 #​426 tar@7.4.3 (#​426)

Chores

• f81d8ed #​417 bump @​npmcli/arborist from 8.0.0 to 9.0.0 (#​417) (@​dependabot[bot])
• 0310b7b #​422 tests should not inherit --ignore-scripts flag from `npm run t… (#​422) (@​owlstronaut)

v18.0.6

Compare Source

Bug Fixes

• 79441a5 #​371 clean up requires (#​371) (@​wraithgar)
• b19aacb #​369 isolate full and corgi packuments in packumentCache (#​369) (@​wraithgar)

v18.0.5

Compare Source

Bug Fixes

• 5e75582 #​368 dont set _contentLength if not in headers (#​368) (@​lukekarrys)
• 1b6950b #​365 move bin to its own directory (@​lukekarrys)
• 1b6950b #​365 refactor: symbol cleanup (#​365) (@​lukekarrys)

v18.0.4

Compare Source

⚠️ BREAKING CHANGES

• pacote now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 03b31ca #​392 align to npm 10 node engine range (@​reggi)

Dependencies

• f055f71 #​395 bump npm-pick-manifest from 9.1.0 to 10.0.0 (#​395) (@​dependabot[bot])
• 932b9ab #​396 bump @​npmcli/package-json from 5.2.1 to 6.0.0 (#​396) (@​dependabot[bot])
• a1621f9 #​397 bump npm-registry-fetch from 17.1.0 to 18.0.0 (#​397) (@​dependabot[bot])
• c776199 #​398 bump cacache from 18.0.4 to 19.0.0 (#​398) (@​dependabot[bot])
• 6d59022 #​399 bump @​npmcli/git from 5.0.8 to 6.0.0 (#​399)
• 21ea2d4 #​400 bump @​npmcli/run-script from 8.1.0 to 9.0.0 (#​400)
• eddbc01 #​392 ssri@12.0.0
• 6c672e9 #​392 proc-log@5.0.0
• 03ba2a2 #​392 npm-packlist@9.0.0
• 2710286 #​392 npm-package-arg@12.0.0
• aa0bd4a #​392 @npmcli/promise-spawn@8.0.0
• df23343 #​392 @npmcli/installed-package-contents@3.0.0

Chores

• e4ed5cd #​392 bump hosted-git-info ^7.0.0 to ^8.0.0 (@​reggi)
• 2871f56 #​392 run template-oss-apply (@​reggi)
• 39643f1 #​382 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 7e33c82 #​383 postinstall for dependabot template-oss PR (@​hashtagchris)
• e4e07bf #​383 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

v18.0.3

Compare Source

Dependencies

• 5ecce7a #​360 npm-registry-fetch@17.0.0 (#​360)

v18.0.2

Compare Source

Bug Fixes

• 116b277 #​358 don't strip underscore attributes in .manifest() (#​358) (@​wraithgar)

v18.0.1

Compare Source

Bug Fixes

• b547e0d #​356 use @​npmcli/package-json (#​356) (@​lukekarrys)

v18.0.0

Compare Source

⚠️ BREAKING CHANGES

• pacote now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 03b31ca #​392 align to npm 10 node engine range (@​reggi)

Dependencies

• f055f71 #​395 bump npm-pick-manifest from 9.1.0 to 10.0.0 (#​395) (@​dependabot[bot])
• 932b9ab #​396 bump @​npmcli/package-json from 5.2.1 to 6.0.0 (#​396) (@​dependabot[bot])
• a1621f9 #​397 bump npm-registry-fetch from 17.1.0 to 18.0.0 (#​397) (@​dependabot[bot])
• c776199 #​398 bump cacache from 18.0.4 to 19.0.0 (#​398) (@​dependabot[bot])
• 6d59022 #​399 bump @​npmcli/git from 5.0.8 to 6.0.0 (#​399)
• 21ea2d4 #​400 bump @​npmcli/run-script from 8.1.0 to 9.0.0 (#​400)
• eddbc01 #​392 ssri@12.0.0
• 6c672e9 #​392 proc-log@5.0.0
• 03ba2a2 #​392 npm-packlist@9.0.0
• 2710286 #​392 npm-package-arg@12.0.0
• aa0bd4a #​392 @npmcli/promise-spawn@8.0.0
• df23343 #​392 @npmcli/installed-package-contents@3.0.0

Chores

• e4ed5cd #​392 bump hosted-git-info ^7.0.0 to ^8.0.0 (@​reggi)
• 2871f56 #​392 run template-oss-apply (@​reggi)
• 39643f1 #​382 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 7e33c82 #​383 postinstall for dependabot template-oss PR (@​hashtagchris)
• e4e07bf #​383 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

v17.0.7

Compare Source

Dependencies

• e07c3e5 #​350 proc-log@4.0.0 (#​350)

v17.0.6

Compare Source

Dependencies

• 0a5920f #​343 bump sigstore from 2.0.0 to 2.2.0 (#​343) (@​bdehamer)

Chores

• 6fd23ad #​342 postinstall for dependabot template-oss PR (@​lukekarrys)
• c3b398a #​342 bump @​npmcli/template-oss from 4.21.1 to 4.21.3 (@​dependabot[bot])
• 4557919 #​337 postinstall for dependabot template-oss PR (@​lukekarrys)
• c7e293c #​337 bump @​npmcli/template-oss from 4.19.0 to 4.21.1 (@​dependabot[bot])

v17.0.5

Compare Source

Bug Fixes

• 0c96b9e #​338 bug to support rotated keys in signature/attestation audit (#​338) (@​feelepxyz)

v17.0.4

Compare Source

Dependencies

• ba8f790 #​309 bump @​npmcli/promise-spawn from 6.0.2 to 7.0.0
• 2c0d3ae #​308 bump @​npmcli/run-script from 6.0.2 to 7.0.0

v17.0.3

Compare Source

Dependencies

• [ace7c28](h

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.