diff --git a/.pnp.cjs b/.pnp.cjs index c6ba5b389981..a2f781591a8d 100755 --- a/.pnp.cjs +++ b/.pnp.cjs @@ -38,6 +38,10 @@ const RAW_RUNTIME_STATE = "name": "@yarnpkg/eslint-config",\ "reference": "workspace:packages/eslint-config"\ },\ + {\ + "name": "make-fetch-smaller",\ + "reference": "workspace:packages/make-fetch-smaller"\ + },\ {\ "name": "@yarnpkg/plugin-compat",\ "reference": "workspace:packages/plugin-compat"\ @@ -240,6 +244,7 @@ const RAW_RUNTIME_STATE = ["@yarnpkg/shell", ["workspace:packages/yarnpkg-shell"]],\ ["@yarnpkg/types", ["workspace:packages/yarnpkg-types"]],\ ["acceptance-tests", ["workspace:packages/acceptance-tests"]],\ + ["make-fetch-smaller", ["workspace:packages/make-fetch-smaller"]],\ ["pkg-tests-core", ["workspace:packages/acceptance-tests/pkg-tests-core"]],\ ["pkg-tests-fixtures", ["workspace:packages/acceptance-tests/pkg-tests-fixtures"]],\ ["pkg-tests-specs", ["workspace:packages/acceptance-tests/pkg-tests-specs"]],\ @@ -668,7 +673,7 @@ const RAW_RUNTIME_STATE = ["@babel/traverse", "npm:7.24.8"],\ ["@babel/types", "npm:7.24.9"],\ ["convert-source-map", "npm:2.0.0"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["gensync", "npm:1.0.0-beta.2"],\ ["json5", "npm:2.2.3"],\ ["semver", "npm:6.3.1"]\ @@ -803,7 +808,7 @@ const RAW_RUNTIME_STATE = ["@babel/helper-define-polyfill-provider", "virtual:58391427c173b3031303b56c9bcf0fe1c1eda6bf1561079ca823e416b2b545b82f86774dde1240bb1bcf6e13bf3df16d6886eca046204e5498df36efc5080ba1#npm:0.5.0"],\ ["@babel/helper-plugin-utils", "npm:7.24.8"],\ ["@types/babel__core", null],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["lodash.debounce", "npm:4.0.8"],\ ["resolve", "patch:resolve@npm%3A1.22.2#optional!builtin::version=1.22.2&hash=c3c19d"]\ ],\ @@ -821,7 +826,7 @@ const RAW_RUNTIME_STATE = ["@babel/helper-define-polyfill-provider", "virtual:78d7ac697fda809112aa5f864eb263009d1472191f7874562da745419e253f10c0133df5e70add2896ed2e36a9ab7adea4624808e2e122e5da79386dfe7f9b6a#npm:0.6.2"],\ ["@babel/helper-plugin-utils", "npm:7.24.8"],\ ["@types/babel__core", null],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["lodash.debounce", "npm:4.0.8"],\ ["resolve", "patch:resolve@npm%3A1.22.2#optional!builtin::version=1.22.2&hash=c3c19d"]\ ],\ @@ -3424,7 +3429,7 @@ const RAW_RUNTIME_STATE = ["@babel/parser", "npm:7.24.8"],\ ["@babel/traverse", "npm:7.24.8"],\ ["@babel/types", "npm:7.24.9"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["globals", "npm:11.10.0"]\ ],\ "linkType": "HARD"\ @@ -5137,7 +5142,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@eslint/config-array", "npm:0.16.0"],\ ["@eslint/object-schema", "npm:2.1.6"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["minimatch", "npm:3.1.2"]\ ],\ "linkType": "HARD"\ @@ -5147,7 +5152,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@eslint/config-array", "npm:0.19.2"],\ ["@eslint/object-schema", "npm:2.1.6"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["minimatch", "npm:3.1.2"]\ ],\ "linkType": "HARD"\ @@ -5177,7 +5182,7 @@ const RAW_RUNTIME_STATE = ["find-up", "npm:7.0.0"],\ ["get-port-please", "npm:3.1.2"],\ ["h3", "npm:1.12.0"],\ - ["minimatch", "npm:9.0.4"],\ + ["minimatch", "npm:9.0.5"],\ ["mlly", "npm:1.7.1"],\ ["mrmime", "npm:2.0.0"],\ ["open", "npm:10.1.0"],\ @@ -5215,7 +5220,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@eslint/eslintrc", "npm:3.2.0"],\ ["ajv", "npm:6.12.6"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["espree", "npm:10.3.0"],\ ["globals", "npm:14.0.0"],\ ["ignore", "npm:5.3.1"],\ @@ -6391,6 +6396,72 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ + ["@sigstore/bundle", [\ + ["npm:3.1.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-bundle-npm-3.1.0-93e02e23c5-21b246ec63.zip/node_modules/@sigstore/bundle/",\ + "packageDependencies": [\ + ["@sigstore/bundle", "npm:3.1.0"],\ + ["@sigstore/protobuf-specs", "npm:0.4.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@sigstore/core", [\ + ["npm:2.0.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-core-npm-2.0.0-6546ce777b-ec1deae943.zip/node_modules/@sigstore/core/",\ + "packageDependencies": [\ + ["@sigstore/core", "npm:2.0.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@sigstore/protobuf-specs", [\ + ["npm:0.4.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-protobuf-specs-npm-0.4.0-2d7d3b28ee-b267b24c8a.zip/node_modules/@sigstore/protobuf-specs/",\ + "packageDependencies": [\ + ["@sigstore/protobuf-specs", "npm:0.4.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@sigstore/sign", [\ + ["npm:3.1.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-sign-npm-3.1.0-c852831d71-e0ce0aa52b.zip/node_modules/@sigstore/sign/",\ + "packageDependencies": [\ + ["@sigstore/bundle", "npm:3.1.0"],\ + ["@sigstore/core", "npm:2.0.0"],\ + ["@sigstore/protobuf-specs", "npm:0.4.0"],\ + ["@sigstore/sign", "npm:3.1.0"],\ + ["make-fetch-happen", "portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A."],\ + ["proc-log", "npm:5.0.0"],\ + ["promise-retry", "npm:2.0.1"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@sigstore/tuf", [\ + ["npm:3.1.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-tuf-npm-3.1.0-dcdff5411e-7040aaa8b0.zip/node_modules/@sigstore/tuf/",\ + "packageDependencies": [\ + ["@sigstore/protobuf-specs", "npm:0.4.0"],\ + ["@sigstore/tuf", "npm:3.1.0"],\ + ["tuf-js", "npm:3.0.1"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@sigstore/verify", [\ + ["npm:2.1.0", {\ + "packageLocation": "./.yarn/cache/@sigstore-verify-npm-2.1.0-0174fd0384-bb0a8472c8.zip/node_modules/@sigstore/verify/",\ + "packageDependencies": [\ + ["@sigstore/bundle", "npm:3.1.0"],\ + ["@sigstore/core", "npm:2.0.0"],\ + ["@sigstore/protobuf-specs", "npm:0.4.0"],\ + ["@sigstore/verify", "npm:2.1.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ ["@sinclair/typebox", [\ ["npm:0.24.20", {\ "packageLocation": "./.yarn/cache/@sinclair-typebox-npm-0.24.20-26b4f821fa-3a495dc0b6.zip/node_modules/@sinclair/typebox/",\ @@ -6852,6 +6923,26 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ + ["@tufjs/canonical-json", [\ + ["npm:2.0.0", {\ + "packageLocation": "./.yarn/cache/@tufjs-canonical-json-npm-2.0.0-46a22aa444-cc719a1d0d.zip/node_modules/@tufjs/canonical-json/",\ + "packageDependencies": [\ + ["@tufjs/canonical-json", "npm:2.0.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ + ["@tufjs/models", [\ + ["npm:3.0.1", {\ + "packageLocation": "./.yarn/cache/@tufjs-models-npm-3.0.1-29f012ba2d-00636238b2.zip/node_modules/@tufjs/models/",\ + "packageDependencies": [\ + ["@tufjs/canonical-json", "npm:2.0.0"],\ + ["@tufjs/models", "npm:3.0.1"],\ + ["minimatch", "npm:9.0.5"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ ["@types/acorn", [\ ["npm:4.0.6", {\ "packageLocation": "./.yarn/cache/@types-acorn-npm-4.0.6-a81a5c57b1-e00671d505.zip/node_modules/@types/acorn/",\ @@ -7737,10 +7828,11 @@ const RAW_RUNTIME_STATE = }]\ ]],\ ["@types/ssri", [\ - ["npm:6.0.1", {\ - "packageLocation": "./.yarn/cache/@types-ssri-npm-6.0.1-da6c21e6d2-1917e8c018.zip/node_modules/@types/ssri/",\ + ["npm:7.1.5", {\ + "packageLocation": "./.yarn/cache/@types-ssri-npm-7.1.5-12d87ddfc1-5d83e8a3ec.zip/node_modules/@types/ssri/",\ "packageDependencies": [\ - ["@types/ssri", "npm:6.0.1"]\ + ["@types/node", "npm:18.19.17"],\ + ["@types/ssri", "npm:7.1.5"]\ ],\ "linkType": "HARD"\ }]\ @@ -7976,7 +8068,7 @@ const RAW_RUNTIME_STATE = ["@typescript-eslint/types", "npm:8.24.0"],\ ["@typescript-eslint/typescript-estree", "virtual:23068ba05c01b57ed8e5617d7a8382e9c7bf5da593309a0b77406f234c7043fa3d723b578c52d454716b426cbda20a43751c32baee3b5c9b4449be13e364408c#npm:8.24.0"],\ ["@typescript-eslint/visitor-keys", "npm:8.24.0"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["eslint", "virtual:e470d99b1e4fdf4c5db5d090ff5472cdeba0404b7ffd31cd2efab3493dd184c67bc45f60c2ef1c040e2c41afe38c6280bffc5df2fbe3aefaa2b6eacf685ab07c#npm:9.20.1"],\ ["typescript", "patch:typescript@npm%3A5.5.2#optional!builtin::version=5.5.2&hash=379a07"]\ ],\ @@ -8016,7 +8108,7 @@ const RAW_RUNTIME_STATE = ["@typescript-eslint/type-utils", "virtual:85547ebcc9aa80800b57485a2a35b997df1796e3c7edd0ea0e08b5e3386f186cdbce5a36488d2feb239aa81dcd53ed6e270f5ed3b22191f2d7deb5b28bc936d4#npm:8.24.0"],\ ["@typescript-eslint/typescript-estree", "virtual:23068ba05c01b57ed8e5617d7a8382e9c7bf5da593309a0b77406f234c7043fa3d723b578c52d454716b426cbda20a43751c32baee3b5c9b4449be13e364408c#npm:8.24.0"],\ ["@typescript-eslint/utils", "virtual:85547ebcc9aa80800b57485a2a35b997df1796e3c7edd0ea0e08b5e3386f186cdbce5a36488d2feb239aa81dcd53ed6e270f5ed3b22191f2d7deb5b28bc936d4#npm:8.24.0"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["eslint", "virtual:e470d99b1e4fdf4c5db5d090ff5472cdeba0404b7ffd31cd2efab3493dd184c67bc45f60c2ef1c040e2c41afe38c6280bffc5df2fbe3aefaa2b6eacf685ab07c#npm:9.20.1"],\ ["ts-api-utils", "virtual:85547ebcc9aa80800b57485a2a35b997df1796e3c7edd0ea0e08b5e3386f186cdbce5a36488d2feb239aa81dcd53ed6e270f5ed3b22191f2d7deb5b28bc936d4#npm:2.0.1"],\ ["typescript", "patch:typescript@npm%3A5.5.2#optional!builtin::version=5.5.2&hash=379a07"]\ @@ -8054,10 +8146,10 @@ const RAW_RUNTIME_STATE = ["@typescript-eslint/types", "npm:8.24.0"],\ ["@typescript-eslint/typescript-estree", "virtual:23068ba05c01b57ed8e5617d7a8382e9c7bf5da593309a0b77406f234c7043fa3d723b578c52d454716b426cbda20a43751c32baee3b5c9b4449be13e364408c#npm:8.24.0"],\ ["@typescript-eslint/visitor-keys", "npm:8.24.0"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["fast-glob", "npm:3.3.2"],\ ["is-glob", "npm:4.0.3"],\ - ["minimatch", "npm:9.0.4"],\ + ["minimatch", "npm:9.0.5"],\ ["semver", "npm:7.6.0"],\ ["ts-api-utils", "virtual:85547ebcc9aa80800b57485a2a35b997df1796e3c7edd0ea0e08b5e3386f186cdbce5a36488d2feb239aa81dcd53ed6e270f5ed3b22191f2d7deb5b28bc936d4#npm:2.0.1"],\ ["typescript", "patch:typescript@npm%3A5.5.2#optional!builtin::version=5.5.2&hash=379a07"]\ @@ -8075,10 +8167,10 @@ const RAW_RUNTIME_STATE = ["@typescript-eslint/types", "npm:8.24.0"],\ ["@typescript-eslint/typescript-estree", "virtual:7c406ccd8489098d265c7943f17293177e15435ce3086b71dd15918f28ac00ae2e7816b14149a4636c5eb1e95cb95edfa4c59b9f180976a0257ed5aa88116e48#npm:8.24.0"],\ ["@typescript-eslint/visitor-keys", "npm:8.24.0"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["fast-glob", "npm:3.3.2"],\ ["is-glob", "npm:4.0.3"],\ - ["minimatch", "npm:9.0.4"],\ + ["minimatch", "npm:9.0.5"],\ ["semver", "npm:7.6.0"],\ ["ts-api-utils", "virtual:801664084d8a2fb2e80fe6e89bbb4fe7867dabf4bc2df37ddeeb5fade83712c4469ca73167f4abfa8fe30945abbba93220b866b314f8300b1bbcb4bbcf887e6a#npm:2.0.1"],\ ["typescript", null]\ @@ -13617,7 +13709,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13627,7 +13719,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13642,7 +13735,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13652,7 +13745,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13668,7 +13762,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13678,7 +13772,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13694,7 +13789,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13704,7 +13799,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13720,7 +13816,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13730,7 +13826,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13746,7 +13843,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13756,7 +13853,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13772,7 +13870,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13782,7 +13880,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13798,7 +13897,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13808,7 +13907,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13824,7 +13924,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13834,7 +13934,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13850,7 +13951,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13860,7 +13961,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13876,7 +13978,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13886,7 +13988,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13902,7 +14005,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13912,7 +14015,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13927,7 +14031,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13937,7 +14041,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13953,7 +14058,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13963,7 +14068,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -13979,7 +14085,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -13989,7 +14095,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14005,7 +14112,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14015,7 +14122,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14031,7 +14139,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14041,7 +14149,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14057,7 +14166,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14067,7 +14176,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14083,7 +14193,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14093,7 +14203,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14109,7 +14220,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14119,7 +14230,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14135,7 +14247,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@types/yarnpkg__core", null],\ ["@types/yarnpkg__plugin-pack", null],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ @@ -14145,7 +14257,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "packagePeers": [\ @@ -14161,7 +14274,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@types/lodash", "npm:4.14.172"],\ ["@types/semver", "npm:7.5.8"],\ - ["@types/ssri", "npm:6.0.1"],\ + ["@types/ssri", "npm:7.1.5"],\ ["@yarnpkg/core", "workspace:packages/yarnpkg-core"],\ ["@yarnpkg/fslib", "workspace:packages/yarnpkg-fslib"],\ ["@yarnpkg/plugin-npm", "workspace:packages/plugin-npm"],\ @@ -14169,7 +14282,8 @@ const RAW_RUNTIME_STATE = ["enquirer", "npm:2.3.6"],\ ["lodash", "npm:4.17.21"],\ ["semver", "npm:7.6.0"],\ - ["ssri", "npm:6.0.1"],\ + ["sigstore", "npm:3.1.0"],\ + ["ssri", "npm:12.0.0"],\ ["tslib", "npm:2.6.2"]\ ],\ "linkType": "SOFT"\ @@ -19213,7 +19327,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/agent-base-npm-6.0.2-428f325a93-21fb903e09.zip/node_modules/agent-base/",\ "packageDependencies": [\ ["agent-base", "npm:6.0.2"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"]\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"]\ ],\ "linkType": "HARD"\ }]\ @@ -19223,7 +19337,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/agentkeepalive-npm-4.2.1-b86a9fb343-63961cba1a.zip/node_modules/agentkeepalive/",\ "packageDependencies": [\ ["agentkeepalive", "npm:4.2.1"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["depd", "npm:1.1.2"],\ ["humanize-ms", "npm:1.2.1"]\ ],\ @@ -22183,10 +22297,10 @@ const RAW_RUNTIME_STATE = ],\ "linkType": "SOFT"\ }],\ - ["npm:4.3.4", {\ - "packageLocation": "./.yarn/cache/debug-npm-4.3.4-4513954577-0073c3bcbd.zip/node_modules/debug/",\ + ["npm:4.4.0", {\ + "packageLocation": "./.yarn/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip/node_modules/debug/",\ "packageDependencies": [\ - ["debug", "npm:4.3.4"]\ + ["debug", "npm:4.4.0"]\ ],\ "linkType": "SOFT"\ }],\ @@ -22204,12 +22318,12 @@ const RAW_RUNTIME_STATE = ],\ "linkType": "HARD"\ }],\ - ["virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4", {\ - "packageLocation": "./.yarn/__virtual__/debug-virtual-4488998e89/0/cache/debug-npm-4.3.4-4513954577-0073c3bcbd.zip/node_modules/debug/",\ + ["virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0", {\ + "packageLocation": "./.yarn/__virtual__/debug-virtual-9c1b624c5c/0/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip/node_modules/debug/",\ "packageDependencies": [\ ["@types/supports-color", null],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ - ["ms", "npm:2.1.2"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ + ["ms", "npm:2.1.3"],\ ["supports-color", null]\ ],\ "packagePeers": [\ @@ -22516,7 +22630,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/detect-port-npm-1.5.1-fbb9694f69-b48da93404.zip/node_modules/detect-port/",\ "packageDependencies": [\ ["address", "npm:1.2.1"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["detect-port", "npm:1.5.1"]\ ],\ "linkType": "HARD"\ @@ -23603,7 +23717,7 @@ const RAW_RUNTIME_STATE = ["ajv", "npm:6.12.6"],\ ["chalk", "npm:4.1.2"],\ ["cross-spawn", "npm:7.0.6"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["escape-string-regexp", "npm:4.0.0"],\ ["eslint", "virtual:e470d99b1e4fdf4c5db5d090ff5472cdeba0404b7ffd31cd2efab3493dd184c67bc45f60c2ef1c040e2c41afe38c6280bffc5df2fbe3aefaa2b6eacf685ab07c#npm:9.20.1"],\ ["eslint-scope", "npm:8.2.0"],\ @@ -24237,15 +24351,6 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ - ["figgy-pudding", [\ - ["npm:3.5.1", {\ - "packageLocation": "./.yarn/cache/figgy-pudding-npm-3.5.1-6fe250523e-07c23bc388.zip/node_modules/figgy-pudding/",\ - "packageDependencies": [\ - ["figgy-pudding", "npm:3.5.1"]\ - ],\ - "linkType": "HARD"\ - }]\ - ]],\ ["file-entry-cache", [\ ["npm:8.0.0", {\ "packageLocation": "./.yarn/cache/file-entry-cache-npm-8.0.0-5b09d19a83-afe55c4de4.zip/node_modules/file-entry-cache/",\ @@ -25708,7 +25813,7 @@ const RAW_RUNTIME_STATE = "packageDependencies": [\ ["@tootallnate/once", "npm:2.0.0"],\ ["agent-base", "npm:6.0.2"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["http-proxy-agent", "npm:5.0.0"]\ ],\ "linkType": "HARD"\ @@ -25764,7 +25869,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/https-proxy-agent-npm-5.0.1-42d65f358e-f0dce7bdca.zip/node_modules/https-proxy-agent/",\ "packageDependencies": [\ ["agent-base", "npm:6.0.2"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["https-proxy-agent", "npm:5.0.1"]\ ],\ "linkType": "HARD"\ @@ -27028,7 +27133,7 @@ const RAW_RUNTIME_STATE = ["npm:4.0.0", {\ "packageLocation": "./.yarn/cache/istanbul-lib-source-maps-npm-4.0.0-def3895674-765252abc6.zip/node_modules/istanbul-lib-source-maps/",\ "packageDependencies": [\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["istanbul-lib-coverage", "npm:3.2.0"],\ ["istanbul-lib-source-maps", "npm:4.0.0"],\ ["source-map", "npm:0.6.1"]\ @@ -28336,6 +28441,22 @@ const RAW_RUNTIME_STATE = ["ssri", "npm:9.0.1"]\ ],\ "linkType": "HARD"\ + }],\ + ["portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A.", {\ + "packageLocation": "./packages/make-fetch-smaller/",\ + "packageDependencies": [\ + ["make-fetch-happen", "portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A."]\ + ],\ + "linkType": "SOFT"\ + }]\ + ]],\ + ["make-fetch-smaller", [\ + ["workspace:packages/make-fetch-smaller", {\ + "packageLocation": "./packages/make-fetch-smaller/",\ + "packageDependencies": [\ + ["make-fetch-smaller", "workspace:packages/make-fetch-smaller"]\ + ],\ + "linkType": "SOFT"\ }]\ ]],\ ["makeerror", [\ @@ -28920,7 +29041,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/micromark-npm-4.0.0-ddf83a29ef-a697c1c0c1.zip/node_modules/micromark/",\ "packageDependencies": [\ ["@types/debug", "npm:4.1.12"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["decode-named-character-reference", "npm:1.0.2"],\ ["devlop", "npm:1.1.0"],\ ["micromark", "npm:4.0.0"],\ @@ -29632,11 +29753,11 @@ const RAW_RUNTIME_STATE = ],\ "linkType": "HARD"\ }],\ - ["npm:9.0.4", {\ - "packageLocation": "./.yarn/cache/minimatch-npm-9.0.4-7be5a33efc-4cdc18d112.zip/node_modules/minimatch/",\ + ["npm:9.0.5", {\ + "packageLocation": "./.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip/node_modules/minimatch/",\ "packageDependencies": [\ ["brace-expansion", "npm:2.0.1"],\ - ["minimatch", "npm:9.0.4"]\ + ["minimatch", "npm:9.0.5"]\ ],\ "linkType": "HARD"\ }]\ @@ -29658,6 +29779,13 @@ const RAW_RUNTIME_STATE = ["yallist", "npm:4.0.0"]\ ],\ "linkType": "HARD"\ + }],\ + ["npm:7.1.2", {\ + "packageLocation": "./.yarn/cache/minipass-npm-7.1.2-3a5327d36d-c25f0ee819.zip/node_modules/minipass/",\ + "packageDependencies": [\ + ["minipass", "npm:7.1.2"]\ + ],\ + "linkType": "HARD"\ }]\ ]],\ ["minipass-collect", [\ @@ -29807,13 +29935,6 @@ const RAW_RUNTIME_STATE = ],\ "linkType": "HARD"\ }],\ - ["npm:2.1.2", {\ - "packageLocation": "./.yarn/cache/ms-npm-2.1.2-ec0c1512ff-673cdb2c31.zip/node_modules/ms/",\ - "packageDependencies": [\ - ["ms", "npm:2.1.2"]\ - ],\ - "linkType": "HARD"\ - }],\ ["npm:2.1.3", {\ "packageLocation": "./.yarn/cache/ms-npm-2.1.3-81ff3cfac1-aa92de6080.zip/node_modules/ms/",\ "packageDependencies": [\ @@ -32120,6 +32241,15 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ + ["proc-log", [\ + ["npm:5.0.0", {\ + "packageLocation": "./.yarn/cache/proc-log-npm-5.0.0-405173f9b4-35610bdb01.zip/node_modules/proc-log/",\ + "packageDependencies": [\ + ["proc-log", "npm:5.0.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ ["process-nextick-args", [\ ["npm:2.0.0", {\ "packageLocation": "./.yarn/cache/process-nextick-args-npm-2.0.0-2a45ddf372-15209b1230.zip/node_modules/process-nextick-args/",\ @@ -34502,6 +34632,21 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ + ["sigstore", [\ + ["npm:3.1.0", {\ + "packageLocation": "./.yarn/cache/sigstore-npm-3.1.0-06f5d23d7f-fc2a38d11b.zip/node_modules/sigstore/",\ + "packageDependencies": [\ + ["@sigstore/bundle", "npm:3.1.0"],\ + ["@sigstore/core", "npm:2.0.0"],\ + ["@sigstore/protobuf-specs", "npm:0.4.0"],\ + ["@sigstore/sign", "npm:3.1.0"],\ + ["@sigstore/tuf", "npm:3.1.0"],\ + ["@sigstore/verify", "npm:2.1.0"],\ + ["sigstore", "npm:3.1.0"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ ["simple-concat", [\ ["npm:1.0.0", {\ "packageLocation": "./.yarn/cache/simple-concat-npm-1.0.0-254e9f193d-b2c92c7d59.zip/node_modules/simple-concat/",\ @@ -34698,7 +34843,7 @@ const RAW_RUNTIME_STATE = "packageLocation": "./.yarn/cache/socks-proxy-agent-npm-7.0.0-7aacf32ea0-26c75d9c62.zip/node_modules/socks-proxy-agent/",\ "packageDependencies": [\ ["agent-base", "npm:6.0.2"],\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["socks", "npm:2.7.0"],\ ["socks-proxy-agent", "npm:7.0.0"]\ ],\ @@ -34820,7 +34965,7 @@ const RAW_RUNTIME_STATE = ["npm:4.0.2", {\ "packageLocation": "./.yarn/cache/spdy-npm-4.0.2-7e5782a993-d29b89e48e.zip/node_modules/spdy/",\ "packageDependencies": [\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["handle-thing", "npm:2.0.1"],\ ["http-deceiver", "npm:1.2.7"],\ ["select-hose", "npm:2.0.0"],\ @@ -34834,7 +34979,7 @@ const RAW_RUNTIME_STATE = ["npm:3.0.0", {\ "packageLocation": "./.yarn/cache/spdy-transport-npm-3.0.0-9f4f73f332-b93b606b20.zip/node_modules/spdy-transport/",\ "packageDependencies": [\ - ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.3.4"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ ["detect-node", "npm:2.1.0"],\ ["hpack.js", "npm:2.1.6"],\ ["obuf", "npm:1.1.2"],\ @@ -34874,11 +35019,11 @@ const RAW_RUNTIME_STATE = }]\ ]],\ ["ssri", [\ - ["npm:6.0.1", {\ - "packageLocation": "./.yarn/cache/ssri-npm-6.0.1-a40d823fc9-aa85bffced.zip/node_modules/ssri/",\ + ["npm:12.0.0", {\ + "packageLocation": "./.yarn/cache/ssri-npm-12.0.0-97c0e53d2e-7024c1a6e3.zip/node_modules/ssri/",\ "packageDependencies": [\ - ["figgy-pudding", "npm:3.5.1"],\ - ["ssri", "npm:6.0.1"]\ + ["minipass", "npm:7.1.2"],\ + ["ssri", "npm:12.0.0"]\ ],\ "linkType": "HARD"\ }],\ @@ -35782,6 +35927,18 @@ const RAW_RUNTIME_STATE = "linkType": "HARD"\ }]\ ]],\ + ["tuf-js", [\ + ["npm:3.0.1", {\ + "packageLocation": "./.yarn/cache/tuf-js-npm-3.0.1-9135d15fbd-880219a55e.zip/node_modules/tuf-js/",\ + "packageDependencies": [\ + ["@tufjs/models", "npm:3.0.1"],\ + ["debug", "virtual:b86a9fb34323a98c6519528ed55faa0d9b44ca8879307c0b29aa384bde47ff59a7d0c9051b31246f14521dfb71ba3c5d6d0b35c29fffc17bf875aa6ad977d9e8#npm:4.4.0"],\ + ["make-fetch-happen", "portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A."],\ + ["tuf-js", "npm:3.0.1"]\ + ],\ + "linkType": "HARD"\ + }]\ + ]],\ ["tunnel", [\ ["npm:0.0.6", {\ "packageLocation": "./.yarn/cache/tunnel-npm-0.0.6-b1c0830ea4-cf1ffed5e6.zip/node_modules/tunnel/",\ @@ -35986,7 +36143,7 @@ const RAW_RUNTIME_STATE = ["@types/typescript", null],\ ["lunr", "npm:2.3.9"],\ ["marked", "npm:4.3.0"],\ - ["minimatch", "npm:9.0.4"],\ + ["minimatch", "npm:9.0.5"],\ ["shiki", "npm:0.14.7"],\ ["typedoc", "virtual:efae73f2e9aa11493dde5182b5b7f0894b5c101cb3c916b74523dc0bde92d8579259d43c7f83a5363dbd8939dc3d1e6c45c5965b9191878533d9a2c19b046d70#npm:0.25.8"],\ ["typescript", "patch:typescript@npm%3A5.5.2#optional!builtin::version=5.5.2&hash=379a07"]\ diff --git a/.yarn/cache/@sigstore-bundle-npm-3.1.0-93e02e23c5-21b246ec63.zip b/.yarn/cache/@sigstore-bundle-npm-3.1.0-93e02e23c5-21b246ec63.zip new file mode 100644 index 000000000000..302589678288 Binary files /dev/null and b/.yarn/cache/@sigstore-bundle-npm-3.1.0-93e02e23c5-21b246ec63.zip differ diff --git a/.yarn/cache/@sigstore-core-npm-2.0.0-6546ce777b-ec1deae943.zip b/.yarn/cache/@sigstore-core-npm-2.0.0-6546ce777b-ec1deae943.zip new file mode 100644 index 000000000000..99895939826c Binary files /dev/null and b/.yarn/cache/@sigstore-core-npm-2.0.0-6546ce777b-ec1deae943.zip differ diff --git a/.yarn/cache/@sigstore-protobuf-specs-npm-0.4.0-2d7d3b28ee-b267b24c8a.zip b/.yarn/cache/@sigstore-protobuf-specs-npm-0.4.0-2d7d3b28ee-b267b24c8a.zip new file mode 100644 index 000000000000..eadf7eccde55 Binary files /dev/null and b/.yarn/cache/@sigstore-protobuf-specs-npm-0.4.0-2d7d3b28ee-b267b24c8a.zip differ diff --git a/.yarn/cache/@sigstore-sign-npm-3.1.0-c852831d71-e0ce0aa52b.zip b/.yarn/cache/@sigstore-sign-npm-3.1.0-c852831d71-e0ce0aa52b.zip new file mode 100644 index 000000000000..c4627db374e9 Binary files /dev/null and b/.yarn/cache/@sigstore-sign-npm-3.1.0-c852831d71-e0ce0aa52b.zip differ diff --git a/.yarn/cache/@sigstore-tuf-npm-3.1.0-dcdff5411e-7040aaa8b0.zip b/.yarn/cache/@sigstore-tuf-npm-3.1.0-dcdff5411e-7040aaa8b0.zip new file mode 100644 index 000000000000..9b8c2fa27eeb Binary files /dev/null and b/.yarn/cache/@sigstore-tuf-npm-3.1.0-dcdff5411e-7040aaa8b0.zip differ diff --git a/.yarn/cache/@sigstore-verify-npm-2.1.0-0174fd0384-bb0a8472c8.zip b/.yarn/cache/@sigstore-verify-npm-2.1.0-0174fd0384-bb0a8472c8.zip new file mode 100644 index 000000000000..448c5bd82432 Binary files /dev/null and b/.yarn/cache/@sigstore-verify-npm-2.1.0-0174fd0384-bb0a8472c8.zip differ diff --git a/.yarn/cache/@tufjs-canonical-json-npm-2.0.0-46a22aa444-cc719a1d0d.zip b/.yarn/cache/@tufjs-canonical-json-npm-2.0.0-46a22aa444-cc719a1d0d.zip new file mode 100644 index 000000000000..213475a1fd6e Binary files /dev/null and b/.yarn/cache/@tufjs-canonical-json-npm-2.0.0-46a22aa444-cc719a1d0d.zip differ diff --git a/.yarn/cache/@tufjs-models-npm-3.0.1-29f012ba2d-00636238b2.zip b/.yarn/cache/@tufjs-models-npm-3.0.1-29f012ba2d-00636238b2.zip new file mode 100644 index 000000000000..9fe25394618e Binary files /dev/null and b/.yarn/cache/@tufjs-models-npm-3.0.1-29f012ba2d-00636238b2.zip differ diff --git a/.yarn/cache/@types-ssri-npm-6.0.1-da6c21e6d2-1917e8c018.zip b/.yarn/cache/@types-ssri-npm-6.0.1-da6c21e6d2-1917e8c018.zip deleted file mode 100644 index 804ed2ef3928..000000000000 Binary files a/.yarn/cache/@types-ssri-npm-6.0.1-da6c21e6d2-1917e8c018.zip and /dev/null differ diff --git a/.yarn/cache/@types-ssri-npm-7.1.5-12d87ddfc1-5d83e8a3ec.zip b/.yarn/cache/@types-ssri-npm-7.1.5-12d87ddfc1-5d83e8a3ec.zip new file mode 100644 index 000000000000..503c6d384764 Binary files /dev/null and b/.yarn/cache/@types-ssri-npm-7.1.5-12d87ddfc1-5d83e8a3ec.zip differ diff --git a/.yarn/cache/debug-npm-4.3.4-4513954577-0073c3bcbd.zip b/.yarn/cache/debug-npm-4.3.4-4513954577-0073c3bcbd.zip deleted file mode 100644 index 351f1aa3e88b..000000000000 Binary files a/.yarn/cache/debug-npm-4.3.4-4513954577-0073c3bcbd.zip and /dev/null differ diff --git a/.yarn/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip b/.yarn/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip new file mode 100644 index 000000000000..5bce5f628798 Binary files /dev/null and b/.yarn/cache/debug-npm-4.4.0-f6efe76023-1847944c2e.zip differ diff --git a/.yarn/cache/figgy-pudding-npm-3.5.1-6fe250523e-07c23bc388.zip b/.yarn/cache/figgy-pudding-npm-3.5.1-6fe250523e-07c23bc388.zip deleted file mode 100644 index d48a2fa9e279..000000000000 Binary files a/.yarn/cache/figgy-pudding-npm-3.5.1-6fe250523e-07c23bc388.zip and /dev/null differ diff --git a/.yarn/cache/minimatch-npm-9.0.4-7be5a33efc-4cdc18d112.zip b/.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip similarity index 51% rename from .yarn/cache/minimatch-npm-9.0.4-7be5a33efc-4cdc18d112.zip rename to .yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip index 61a88c7c69db..4b97afd8310e 100644 Binary files a/.yarn/cache/minimatch-npm-9.0.4-7be5a33efc-4cdc18d112.zip and b/.yarn/cache/minimatch-npm-9.0.5-9aa93d97fa-dd6a8927b0.zip differ diff --git a/.yarn/cache/minipass-npm-7.1.2-3a5327d36d-c25f0ee819.zip b/.yarn/cache/minipass-npm-7.1.2-3a5327d36d-c25f0ee819.zip new file mode 100644 index 000000000000..4c88fb60ce38 Binary files /dev/null and b/.yarn/cache/minipass-npm-7.1.2-3a5327d36d-c25f0ee819.zip differ diff --git a/.yarn/cache/ms-npm-2.1.2-ec0c1512ff-673cdb2c31.zip b/.yarn/cache/ms-npm-2.1.2-ec0c1512ff-673cdb2c31.zip deleted file mode 100644 index 725e9b8c176a..000000000000 Binary files a/.yarn/cache/ms-npm-2.1.2-ec0c1512ff-673cdb2c31.zip and /dev/null differ diff --git a/.yarn/cache/proc-log-npm-5.0.0-405173f9b4-35610bdb01.zip b/.yarn/cache/proc-log-npm-5.0.0-405173f9b4-35610bdb01.zip new file mode 100644 index 000000000000..0dea7475460a Binary files /dev/null and b/.yarn/cache/proc-log-npm-5.0.0-405173f9b4-35610bdb01.zip differ diff --git a/.yarn/cache/sigstore-npm-3.1.0-06f5d23d7f-fc2a38d11b.zip b/.yarn/cache/sigstore-npm-3.1.0-06f5d23d7f-fc2a38d11b.zip new file mode 100644 index 000000000000..85187d5358dc Binary files /dev/null and b/.yarn/cache/sigstore-npm-3.1.0-06f5d23d7f-fc2a38d11b.zip differ diff --git a/.yarn/cache/ssri-npm-12.0.0-97c0e53d2e-7024c1a6e3.zip b/.yarn/cache/ssri-npm-12.0.0-97c0e53d2e-7024c1a6e3.zip new file mode 100644 index 000000000000..313f0a50213f Binary files /dev/null and b/.yarn/cache/ssri-npm-12.0.0-97c0e53d2e-7024c1a6e3.zip differ diff --git a/.yarn/cache/ssri-npm-6.0.1-a40d823fc9-aa85bffced.zip b/.yarn/cache/ssri-npm-6.0.1-a40d823fc9-aa85bffced.zip deleted file mode 100644 index 327df236103a..000000000000 Binary files a/.yarn/cache/ssri-npm-6.0.1-a40d823fc9-aa85bffced.zip and /dev/null differ diff --git a/.yarn/cache/tuf-js-npm-3.0.1-9135d15fbd-880219a55e.zip b/.yarn/cache/tuf-js-npm-3.0.1-9135d15fbd-880219a55e.zip new file mode 100644 index 000000000000..f26dd89418d6 Binary files /dev/null and b/.yarn/cache/tuf-js-npm-3.0.1-9135d15fbd-880219a55e.zip differ diff --git a/.yarn/versions/e30c5e10.yml b/.yarn/versions/e30c5e10.yml new file mode 100644 index 000000000000..b9c30c9c0184 --- /dev/null +++ b/.yarn/versions/e30c5e10.yml @@ -0,0 +1,34 @@ +releases: + "@yarnpkg/cli": minor + "@yarnpkg/core": minor + "@yarnpkg/plugin-npm": minor + "@yarnpkg/plugin-npm-cli": minor + +declined: + - "@yarnpkg/plugin-compat" + - "@yarnpkg/plugin-constraints" + - "@yarnpkg/plugin-dlx" + - "@yarnpkg/plugin-essentials" + - "@yarnpkg/plugin-exec" + - "@yarnpkg/plugin-file" + - "@yarnpkg/plugin-git" + - "@yarnpkg/plugin-github" + - "@yarnpkg/plugin-http" + - "@yarnpkg/plugin-init" + - "@yarnpkg/plugin-interactive-tools" + - "@yarnpkg/plugin-link" + - "@yarnpkg/plugin-nm" + - "@yarnpkg/plugin-pack" + - "@yarnpkg/plugin-patch" + - "@yarnpkg/plugin-pnp" + - "@yarnpkg/plugin-pnpm" + - "@yarnpkg/plugin-stage" + - "@yarnpkg/plugin-typescript" + - "@yarnpkg/plugin-version" + - "@yarnpkg/plugin-workspace-tools" + - "@yarnpkg/builder" + - "@yarnpkg/doctor" + - "@yarnpkg/extensions" + - "@yarnpkg/nm" + - "@yarnpkg/pnpify" + - "@yarnpkg/sdks" diff --git a/.yarnrc.yml b/.yarnrc.yml index a9feaf4fa045..be1fc99048f4 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -17,6 +17,8 @@ initScope: yarnpkg npmPublishAccess: public +npmPublishProvenance: true + packageExtensions: "@codemirror/lang-html@*": dependencies: diff --git a/package.json b/package.json index 0a57352c68f3..5562e394f28f 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,9 @@ }, "resolutions": { "ink@^3.2.0": "patch:ink@npm%3A3.2.0#~/.yarn/patches/ink-npm-3.2.0-2f1df5b094.patch", - "yoga-layout-prebuilt": "patch:yoga-layout-prebuilt@1.10.0#./.yarn/patches/yoga-layout-prebuilt.patch" + "yoga-layout-prebuilt": "patch:yoga-layout-prebuilt@1.10.0#./.yarn/patches/yoga-layout-prebuilt.patch", + "make-fetch-happen@npm:^14.0.1": "portal:packages/make-fetch-smaller", + "make-fetch-happen@npm:^14.0.2": "portal:packages/make-fetch-smaller" }, "dependenciesMeta": { "core-js": { diff --git a/packages/docusaurus/docs/advanced/01-general-reference/error-codes.mdx b/packages/docusaurus/docs/advanced/01-general-reference/error-codes.mdx index 81945a713217..7fe6afdbf987 100644 --- a/packages/docusaurus/docs/advanced/01-general-reference/error-codes.mdx +++ b/packages/docusaurus/docs/advanced/01-general-reference/error-codes.mdx @@ -444,3 +444,44 @@ Our research showed that even our power users aren't always aware of some of the When enabled, the `enableOfflineMode` flag tells Yarn to ignore remote registries and only pull data from its internal caches. This is a handy mode when working from within network-constrained environments such as planes or trains. To leave the offline work mode, check how it got enabled by running `yarn config --why`. If ``, run `unset YARN_ENABLE_OFFLINE_MODE` in your terminal. Otherwise, remove the `enableOfflineMode` flag from the relevant `.yarnrc.yml` files. + +## YN0091 - `INVALID_PROVENANCE_ENVIRONMENT` + +This error is triggered when the [provenance statement](https://docs.npmjs.com/generating-provenance-statements) cannot be generated in the current environment. GitHub Actions and GitLab CI are the only supported environments at the moment, and this error is triggered when either running in another environment or when credentials are missing. + +On GitHub Actions, you need to grant the `write-id` permission to your workflow. Here is an example of how to do that: + +```yaml +name: Publish Package to npmjs +on: + push: + branches: [main] +jobs: + publish: + runs-on: ubuntu-latest # Must run on GitHub-hosted runners + permissions: + id-token: write + steps: + - uses: actions/checkout@v4 + - run: npm install -g corepack && corepack enable + - run: yarn && yarn build + - run: yarn config set npmAuthToken '${{ secrets.NPM_TOKEN }}' + - run: yarn publish --provenance --tolerate-republish +``` + +On GitLab CI, you need to produce a `SIGSTORE_ID_TOKEN` for your workflow. Here is an example of how to do that: + +```yaml +publish: + image: 'node:22' + rules: + - if: '$CI_COMMIT_BRANCH == "main"' + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore + script: + - npm install -g corepack && corepack enable + - yarn && yarn build + - yarn config set npmAuthToken $NPM_TOKEN + - yarn publish --provenance --tolerate-republish +``` diff --git a/packages/docusaurus/static/configuration/manifest.json b/packages/docusaurus/static/configuration/manifest.json index c2812ccee4d2..e83d50ff6af0 100644 --- a/packages/docusaurus/static/configuration/manifest.json +++ b/packages/docusaurus/static/configuration/manifest.json @@ -362,6 +362,11 @@ "format": "uri-reference", "examples": ["./build/index.mjs"] }, + "provenance": { + "title": "Define whether to produce a provenance statement for the package when publishing. Overrides all other provenance settings.", + "type": "boolean", + "examples": [true] + }, "registry": { "description": "If present, will replace whatever registry is defined in the configuration when the package is about to be pushed to a remote location.", "type": "string", diff --git a/packages/docusaurus/static/configuration/yarnrc.json b/packages/docusaurus/static/configuration/yarnrc.json index 92a304c23ce6..07f342f90a27 100644 --- a/packages/docusaurus/static/configuration/yarnrc.json +++ b/packages/docusaurus/static/configuration/yarnrc.json @@ -529,9 +529,16 @@ "_package": "@yarnpkg/plugin-npm-cli", "type": "string", "title": "Define the default access to use when publishing packages to the npm registry.", - "description": "Valid values are `public` and `restricted`, but `restricted` usually requires to register for a paid plan (this is up to the registry you use). Can be overridden on a per-package basis using the `publishConfig.access` field.", + "description": "Valid values are `public` and `restricted`, but `restricted` usually requires to register for a paid plan (this is up to the registry you use). Can be overridden on a per-package basis using the [`publishConfig.access`](manifest#publishConfig.access) field.", "enum": ["public", "restricted"] }, + "npmPublishProvenance": { + "_package": "@yarnpkg/plugin-npm-cli", + "title": "Define whether to attach a provenance statement when publishing packages to the npm registry.", + "description": "If true, Yarn will generate and publish the provenance information when publishing packages. Can be overridden on a per-package basis using the [`publishConfig.provenance`](manifest#publishConfig.provenance) field.", + "type": "boolean", + "default": false + }, "npmAuditExcludePackages": { "_package": "@yarnpkg/plugin-npm-cli", "title": "Array of package name glob patterns to exclude from `yarn npm audit`.", diff --git a/packages/make-fetch-smaller/README.md b/packages/make-fetch-smaller/README.md new file mode 100644 index 000000000000..72e0e940abc1 --- /dev/null +++ b/packages/make-fetch-smaller/README.md @@ -0,0 +1,5 @@ +# make-fetch-smaller + +This package is a drop-in replacement for `make-fetch-happen`, but uses Node.js native `fetch` instead of pulling [79 dependencies.](https://node-modules.dev/graph#install=make-fetch-happen) + +It is used by the [sigstore](https://www.npmjs.com/package/sigstore) package and its dependencies to produce the provenance statement for packages published to the npm registry with `yarn npm publish --provenance`. diff --git a/packages/make-fetch-smaller/index.js b/packages/make-fetch-smaller/index.js new file mode 100644 index 000000000000..2265e59a5379 --- /dev/null +++ b/packages/make-fetch-smaller/index.js @@ -0,0 +1,2 @@ +// eslint-disable-next-line +module.exports = fetch; diff --git a/packages/make-fetch-smaller/package.json b/packages/make-fetch-smaller/package.json new file mode 100644 index 000000000000..269beb3a4f73 --- /dev/null +++ b/packages/make-fetch-smaller/package.json @@ -0,0 +1,14 @@ +{ + "name": "make-fetch-smaller", + "private": true, + "repository": { + "type": "git", + "url": "git+https://github.com/yarnpkg/berry.git", + "directory": "packages/make-fetch-smaller" + }, + "license": "BSD-2-Clause", + "type": "commonjs", + "engines": { + "node": ">=18.12.0" + } +} diff --git a/packages/plugin-npm-cli/sources/commands/npm/publish.ts b/packages/plugin-npm-cli/sources/commands/npm/publish.ts index a47e608290f8..34cada32c90c 100644 --- a/packages/plugin-npm-cli/sources/commands/npm/publish.ts +++ b/packages/plugin-npm-cli/sources/commands/npm/publish.ts @@ -42,6 +42,10 @@ export default class NpmPublishCommand extends BaseCommand { description: `The OTP token to use with the command`, }); + provenance = Option.Boolean(`--provenance`, false, { + description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI. Can be set globally through the \`npmPublishProvenance\` setting or the \`YARN_NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json.`, + }); + async execute() { const configuration = await Configuration.find(this.context.cwd, this.context.plugins); const {project, workspace} = await Project.find(configuration, this.context.cwd); @@ -102,11 +106,29 @@ export default class NpmPublishCommand extends BaseCommand { const buffer = await miscUtils.bufferStream(pack); const gitHead = await npmPublishUtils.getGitHead(workspace.cwd); + + let provenance = false; + if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) { + provenance = Boolean(workspace.manifest.publishConfig.provenance); + if (provenance) { + report.reportInfo(null, `Generating provenance statement because \`publishConfig.provenance\` field is set.`); + } else { + report.reportInfo(null, `Skipping provenance statement because \`publishConfig.provenance\` field is set to false.`); + } + } else if (this.provenance) { + provenance = true; + report.reportInfo(null, `Generating provenance statement because \`--provenance\` flag is set.`); + } else if (configuration.get(`npmPublishProvenance`)) { + provenance = true; + report.reportInfo(null, `Generating provenance statement because \`npmPublishProvenance\` setting is set.`); + } + const body = await npmPublishUtils.makePublishBody(workspace, buffer, { access: this.access, tag: this.tag, registry, gitHead, + provenance, }); await npmHttpUtils.put(npmHttpUtils.getIdentUrl(ident), body, { diff --git a/packages/plugin-npm-cli/sources/index.ts b/packages/plugin-npm-cli/sources/index.ts index 3aae3b6adee8..9d6ad07031c7 100644 --- a/packages/plugin-npm-cli/sources/index.ts +++ b/packages/plugin-npm-cli/sources/index.ts @@ -27,6 +27,7 @@ export {NpmWhoamiCommand}; declare module '@yarnpkg/core' { interface ConfigurationValueMap { npmPublishAccess: string | null; + npmPublishProvenance: boolean; npmAuditExcludePackages: Array; npmAuditIgnoreAdvisories: Array; } @@ -39,6 +40,11 @@ const plugin: Plugin = { type: SettingsType.STRING, default: null, }, + npmPublishProvenance: { + description: `Whether to generate provenance for the published packages`, + type: SettingsType.BOOLEAN, + default: false, + }, npmAuditExcludePackages: { description: `Array of glob patterns of packages to exclude from npm audit`, type: SettingsType.STRING, diff --git a/packages/plugin-npm/README.md b/packages/plugin-npm/README.md index 20949cb0ad9f..782c34e504f6 100644 --- a/packages/plugin-npm/README.md +++ b/packages/plugin-npm/README.md @@ -5,3 +5,7 @@ This plugin adds support for downloading packages from the npm registry. ## Install This plugin is included by default in Yarn. + +## Attribution + +Provenance code adapted from [npm/cli](https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/lib/provenance.js), under [ISC license](https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/LICENSE). diff --git a/packages/plugin-npm/package.json b/packages/plugin-npm/package.json index e699a885b8ee..c0d3f939d7fb 100644 --- a/packages/plugin-npm/package.json +++ b/packages/plugin-npm/package.json @@ -12,7 +12,8 @@ "enquirer": "^2.3.6", "lodash": "^4.17.15", "semver": "^7.1.2", - "ssri": "^6.0.1", + "sigstore": "^3.1.0", + "ssri": "^12.0.0", "tslib": "^2.4.0" }, "peerDependencies": { @@ -22,7 +23,7 @@ "devDependencies": { "@types/lodash": "^4.14.136", "@types/semver": "^7.1.0", - "@types/ssri": "^6.0.1", + "@types/ssri": "^7.1.5", "@yarnpkg/core": "workspace:^", "@yarnpkg/plugin-pack": "workspace:^" }, diff --git a/packages/plugin-npm/sources/npmProvenance.ts b/packages/plugin-npm/sources/npmProvenance.ts new file mode 100644 index 000000000000..c0e52f759e92 --- /dev/null +++ b/packages/plugin-npm/sources/npmProvenance.ts @@ -0,0 +1,220 @@ +/** + * This code is adapted from the npm project, under ISC License. + * + * Original source: + * https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/lib/provenance.js + */ + +import {MessageName, ReportError} from '@yarnpkg/core'; +import * as sigstore from 'sigstore'; + +const {env} = process; + +const INTOTO_PAYLOAD_TYPE = `application/vnd.in-toto+json`; +const INTOTO_STATEMENT_V01_TYPE = `https://in-toto.io/Statement/v0.1`; +const INTOTO_STATEMENT_V1_TYPE = `https://in-toto.io/Statement/v1`; +const SLSA_PREDICATE_V02_TYPE = `https://slsa.dev/provenance/v0.2`; +const SLSA_PREDICATE_V1_TYPE = `https://slsa.dev/provenance/v1`; + +const GITHUB_BUILDER_ID_PREFIX = `https://github.com/actions/runner`; +const GITHUB_BUILD_TYPE = `https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1`; + +const GITLAB_BUILD_TYPE_PREFIX = `https://github.com/npm/cli/gitlab`; +const GITLAB_BUILD_TYPE_VERSION = `v0alpha1`; + +export const generateProvenance = async (subject: any, opts?: sigstore.SignOptions) => { + let payload: unknown; + if (env.GITHUB_ACTIONS) { + if (!env.ACTIONS_ID_TOKEN_REQUEST_URL) { + throw new ReportError( + MessageName.INVALID_PROVENANCE_ENVIRONMENT, + `Provenance generation in GitHub Actions requires "write" access to the "id-token" permission`, + ); + } + + const relativeRef = (env.GITHUB_WORKFLOW_REF || ``).replace(`${env.GITHUB_REPOSITORY}/`, ``); + const delimiterIndex = relativeRef.indexOf(`@`); + const workflowPath = relativeRef.slice(0, delimiterIndex); + const workflowRef = relativeRef.slice(delimiterIndex + 1); + + payload = { + _type: INTOTO_STATEMENT_V1_TYPE, + subject, + predicateType: SLSA_PREDICATE_V1_TYPE, + predicate: { + buildDefinition: { + buildType: GITHUB_BUILD_TYPE, + externalParameters: { + workflow: { + ref: workflowRef, + repository: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`, + path: workflowPath, + }, + }, + internalParameters: { + github: { + event_name: env.GITHUB_EVENT_NAME, + repository_id: env.GITHUB_REPOSITORY_ID, + repository_owner_id: env.GITHUB_REPOSITORY_OWNER_ID, + }, + }, + resolvedDependencies: [ + { + uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`, + digest: { + gitCommit: env.GITHUB_SHA, + }, + }, + ], + }, + runDetails: { + builder: {id: `${GITHUB_BUILDER_ID_PREFIX}/${env.RUNNER_ENVIRONMENT}`}, + metadata: { + invocationId: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}/actions/runs/${env.GITHUB_RUN_ID}/attempts/${env.GITHUB_RUN_ATTEMPT}`, + }, + }, + }, + }; + } else if (env.GITLAB_CI) { + if (!env.SIGSTORE_ID_TOKEN) { + throw new ReportError( + MessageName.INVALID_PROVENANCE_ENVIRONMENT, + `Provenance generation in GitLab CI requires "SIGSTORE_ID_TOKEN" with "sigstore" audience to be present in "id_tokens". For more info see:\nhttps://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html`, + ); + } + + payload = { + _type: INTOTO_STATEMENT_V01_TYPE, + subject, + predicateType: SLSA_PREDICATE_V02_TYPE, + predicate: { + buildType: `${GITLAB_BUILD_TYPE_PREFIX}/${GITLAB_BUILD_TYPE_VERSION}`, + builder: {id: `${env.CI_PROJECT_URL}/-/runners/${env.CI_RUNNER_ID}`}, + invocation: { + configSource: { + uri: `git+${env.CI_PROJECT_URL}`, + digest: { + sha1: env.CI_COMMIT_SHA, + }, + entryPoint: env.CI_JOB_NAME, + }, + parameters: { + CI: env.CI, + CI_API_GRAPHQL_URL: env.CI_API_GRAPHQL_URL, + CI_API_V4_URL: env.CI_API_V4_URL, + CI_BUILD_BEFORE_SHA: env.CI_BUILD_BEFORE_SHA, + CI_BUILD_ID: env.CI_BUILD_ID, + CI_BUILD_NAME: env.CI_BUILD_NAME, + CI_BUILD_REF: env.CI_BUILD_REF, + CI_BUILD_REF_NAME: env.CI_BUILD_REF_NAME, + CI_BUILD_REF_SLUG: env.CI_BUILD_REF_SLUG, + CI_BUILD_STAGE: env.CI_BUILD_STAGE, + CI_COMMIT_BEFORE_SHA: env.CI_COMMIT_BEFORE_SHA, + CI_COMMIT_BRANCH: env.CI_COMMIT_BRANCH, + CI_COMMIT_REF_NAME: env.CI_COMMIT_REF_NAME, + CI_COMMIT_REF_PROTECTED: env.CI_COMMIT_REF_PROTECTED, + CI_COMMIT_REF_SLUG: env.CI_COMMIT_REF_SLUG, + CI_COMMIT_SHA: env.CI_COMMIT_SHA, + CI_COMMIT_SHORT_SHA: env.CI_COMMIT_SHORT_SHA, + CI_COMMIT_TIMESTAMP: env.CI_COMMIT_TIMESTAMP, + CI_COMMIT_TITLE: env.CI_COMMIT_TITLE, + CI_CONFIG_PATH: env.CI_CONFIG_PATH, + CI_DEFAULT_BRANCH: env.CI_DEFAULT_BRANCH, + CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX: + env.CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX, + CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX: env.CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX, + CI_DEPENDENCY_PROXY_SERVER: env.CI_DEPENDENCY_PROXY_SERVER, + CI_DEPENDENCY_PROXY_USER: env.CI_DEPENDENCY_PROXY_USER, + CI_JOB_ID: env.CI_JOB_ID, + CI_JOB_NAME: env.CI_JOB_NAME, + CI_JOB_NAME_SLUG: env.CI_JOB_NAME_SLUG, + CI_JOB_STAGE: env.CI_JOB_STAGE, + CI_JOB_STARTED_AT: env.CI_JOB_STARTED_AT, + CI_JOB_URL: env.CI_JOB_URL, + CI_NODE_TOTAL: env.CI_NODE_TOTAL, + CI_PAGES_DOMAIN: env.CI_PAGES_DOMAIN, + CI_PAGES_URL: env.CI_PAGES_URL, + CI_PIPELINE_CREATED_AT: env.CI_PIPELINE_CREATED_AT, + CI_PIPELINE_ID: env.CI_PIPELINE_ID, + CI_PIPELINE_IID: env.CI_PIPELINE_IID, + CI_PIPELINE_SOURCE: env.CI_PIPELINE_SOURCE, + CI_PIPELINE_URL: env.CI_PIPELINE_URL, + CI_PROJECT_CLASSIFICATION_LABEL: env.CI_PROJECT_CLASSIFICATION_LABEL, + CI_PROJECT_DESCRIPTION: env.CI_PROJECT_DESCRIPTION, + CI_PROJECT_ID: env.CI_PROJECT_ID, + CI_PROJECT_NAME: env.CI_PROJECT_NAME, + CI_PROJECT_NAMESPACE: env.CI_PROJECT_NAMESPACE, + CI_PROJECT_NAMESPACE_ID: env.CI_PROJECT_NAMESPACE_ID, + CI_PROJECT_PATH: env.CI_PROJECT_PATH, + CI_PROJECT_PATH_SLUG: env.CI_PROJECT_PATH_SLUG, + CI_PROJECT_REPOSITORY_LANGUAGES: env.CI_PROJECT_REPOSITORY_LANGUAGES, + CI_PROJECT_ROOT_NAMESPACE: env.CI_PROJECT_ROOT_NAMESPACE, + CI_PROJECT_TITLE: env.CI_PROJECT_TITLE, + CI_PROJECT_URL: env.CI_PROJECT_URL, + CI_PROJECT_VISIBILITY: env.CI_PROJECT_VISIBILITY, + CI_REGISTRY: env.CI_REGISTRY, + CI_REGISTRY_IMAGE: env.CI_REGISTRY_IMAGE, + CI_REGISTRY_USER: env.CI_REGISTRY_USER, + CI_RUNNER_DESCRIPTION: env.CI_RUNNER_DESCRIPTION, + CI_RUNNER_ID: env.CI_RUNNER_ID, + CI_RUNNER_TAGS: env.CI_RUNNER_TAGS, + CI_SERVER_HOST: env.CI_SERVER_HOST, + CI_SERVER_NAME: env.CI_SERVER_NAME, + CI_SERVER_PORT: env.CI_SERVER_PORT, + CI_SERVER_PROTOCOL: env.CI_SERVER_PROTOCOL, + CI_SERVER_REVISION: env.CI_SERVER_REVISION, + CI_SERVER_SHELL_SSH_HOST: env.CI_SERVER_SHELL_SSH_HOST, + CI_SERVER_SHELL_SSH_PORT: env.CI_SERVER_SHELL_SSH_PORT, + CI_SERVER_URL: env.CI_SERVER_URL, + CI_SERVER_VERSION: env.CI_SERVER_VERSION, + CI_SERVER_VERSION_MAJOR: env.CI_SERVER_VERSION_MAJOR, + CI_SERVER_VERSION_MINOR: env.CI_SERVER_VERSION_MINOR, + CI_SERVER_VERSION_PATCH: env.CI_SERVER_VERSION_PATCH, + CI_TEMPLATE_REGISTRY_HOST: env.CI_TEMPLATE_REGISTRY_HOST, + GITLAB_CI: env.GITLAB_CI, + GITLAB_FEATURES: env.GITLAB_FEATURES, + GITLAB_USER_ID: env.GITLAB_USER_ID, + GITLAB_USER_LOGIN: env.GITLAB_USER_LOGIN, + RUNNER_GENERATE_ARTIFACTS_METADATA: env.RUNNER_GENERATE_ARTIFACTS_METADATA, + }, + environment: { + name: env.CI_RUNNER_DESCRIPTION, + architecture: env.CI_RUNNER_EXECUTABLE_ARCH, + server: env.CI_SERVER_URL, + project: env.CI_PROJECT_PATH, + job: { + id: env.CI_JOB_ID, + }, + pipeline: { + id: env.CI_PIPELINE_ID, + ref: env.CI_CONFIG_PATH, + }, + }, + }, + metadata: { + buildInvocationId: `${env.CI_JOB_URL}`, + completeness: { + parameters: true, + environment: true, + materials: false, + }, + reproducible: false, + }, + materials: [ + { + uri: `git+${env.CI_PROJECT_URL}`, + digest: { + sha1: env.CI_COMMIT_SHA, + }, + }, + ], + }, + }; + } else { + throw new ReportError( + MessageName.INVALID_PROVENANCE_ENVIRONMENT, + `Provenance generation is only supported in GitHub Actions and GitLab CI`, + ); + } + return sigstore.attest(Buffer.from(JSON.stringify(payload)), INTOTO_PAYLOAD_TYPE, opts); +}; diff --git a/packages/plugin-npm/sources/npmPublishUtils.ts b/packages/plugin-npm/sources/npmPublishUtils.ts index f7c0e1a69cf5..d04195dd372a 100644 --- a/packages/plugin-npm/sources/npmPublishUtils.ts +++ b/packages/plugin-npm/sources/npmPublishUtils.ts @@ -2,26 +2,28 @@ import {execUtils, Ident} from '@yarnpkg/core'; import {Workspace, structUtils} from '@yarnpkg/core'; import {PortablePath, xfs, npath} from '@yarnpkg/fslib'; import {packUtils} from '@yarnpkg/plugin-pack'; -import {createHash} from 'crypto'; -import ssri from 'ssri'; +import ssri, {type Integrity} from 'ssri'; import {normalizeRegistry} from './npmConfigUtils'; +import {generateProvenance} from './npmProvenance'; type PublishAdditionalParams = { access: string | undefined; tag: string; registry: string; gitHead?: string; + provenance?: boolean; }; -export async function makePublishBody(workspace: Workspace, buffer: Buffer, {access, tag, registry, gitHead}: PublishAdditionalParams) { +export async function makePublishBody(workspace: Workspace, buffer: Buffer, {access, tag, registry, gitHead, provenance}: PublishAdditionalParams) { const ident = workspace.manifest.name!; const version = workspace.manifest.version!; const name = structUtils.stringifyIdent(ident); - const shasum = createHash(`sha1`).update(buffer).digest(`hex`); - const integrity = ssri.fromData(buffer).toString(); + const integrity = ssri.fromData(buffer, { + algorithms: [`sha1`, `sha512`], + }) as unknown as Record<`sha1` | `sha512`, Array>; const publishAccess = access ?? getPublishAccess(workspace, ident); const readmeContent = await getReadmeContent(workspace); @@ -35,15 +37,33 @@ export async function makePublishBody(workspace: Workspace, buffer: Buffer, {acc const tarballName = `${name}-${version}.tgz`; const tarballURL = new URL(`${normalizeRegistry(registry)}/${name}/-/${tarballName}`); + const _attachments = { + [tarballName]: { + [`content_type`]: `application/octet-stream`, + data: buffer.toString(`base64`), + length: buffer.length, + }, + }; + + // Adapted from https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/lib/publish.js#L138 + if (provenance) { + const subject = { + // Adapted from https://github.com/npm/npm-package-arg/blob/fbbf22ef99ece449428fee761ae8950c08bc2cbf/lib/npa.js#L118 + name: `pkg:npm/${name.replace(/^@/, `%40`)}@${version}`, + digest: {sha512: integrity.sha512[0].hexDigest()}, + }; + const provenanceBundle = await generateProvenance([subject]); + const serializedBundle = JSON.stringify(provenanceBundle); + _attachments[`${name}-${version}.sigstore`] = { + content_type: provenanceBundle.mediaType, + data: serializedBundle, + length: serializedBundle.length, + }; + } + return { _id: name, - _attachments: { - [tarballName]: { - [`content_type`]: `application/octet-stream`, - data: buffer.toString(`base64`), - length: buffer.length, - }, - }, + _attachments, name, access: publishAccess, @@ -62,8 +82,8 @@ export async function makePublishBody(workspace: Workspace, buffer: Buffer, {acc gitHead, dist: { - shasum, - integrity, + shasum: integrity.sha1[0].hexDigest(), + integrity: integrity.sha512[0].toString(), // the npm registry requires a tarball path, but it seems useless 🤷 tarball: tarballURL.toString(), diff --git a/packages/yarnpkg-core/sources/Manifest.ts b/packages/yarnpkg-core/sources/Manifest.ts index a49aafd1e22b..f322051c5742 100644 --- a/packages/yarnpkg-core/sources/Manifest.ts +++ b/packages/yarnpkg-core/sources/Manifest.ts @@ -28,13 +28,14 @@ export interface PeerDependencyMeta { export interface PublishConfig { access?: string; + bin?: Map; + browser?: PortablePath | Map; + executableFiles?: Set; main?: PortablePath; module?: PortablePath; - type?: string; - browser?: PortablePath | Map; - bin?: Map; + provenance?: boolean; registry?: string; - executableFiles?: Set; + type?: string; } export interface InstallConfig { diff --git a/packages/yarnpkg-core/sources/MessageName.ts b/packages/yarnpkg-core/sources/MessageName.ts index 857a5ac4c881..71e875e6344b 100644 --- a/packages/yarnpkg-core/sources/MessageName.ts +++ b/packages/yarnpkg-core/sources/MessageName.ts @@ -102,6 +102,7 @@ export enum MessageName { VERSION_NOTICE = 88, TIPS_NOTICE = 89, OFFLINE_MODE_ENABLED = 90, + INVALID_PROVENANCE_ENVIRONMENT = 91, } export function stringifyMessageName(name: MessageName | number): string { diff --git a/yarn.lock b/yarn.lock index d08b3099dc17..f88fe80bf736 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3973,6 +3973,64 @@ __metadata: languageName: node linkType: hard +"@sigstore/bundle@npm:^3.1.0": + version: 3.1.0 + resolution: "@sigstore/bundle@npm:3.1.0" + dependencies: + "@sigstore/protobuf-specs": "npm:^0.4.0" + checksum: 10/21b246ec63462e8508a8d001ca5d7937f63b6e15d5f2947ee2726d1e4674fb3f7640faa47b165bfea1d5b09df93fbdf10d1556427bba7e005e7f3a65b87f89b2 + languageName: node + linkType: hard + +"@sigstore/core@npm:^2.0.0": + version: 2.0.0 + resolution: "@sigstore/core@npm:2.0.0" + checksum: 10/ec1deae9430eeff580ad0f4ef2328b4eb7252db04587474fe9423d97736134ad79ee83aa2dfbc1fccfb18420c249e26e6e72e7176b592d7013eae5379dcb124d + languageName: node + linkType: hard + +"@sigstore/protobuf-specs@npm:^0.4.0": + version: 0.4.0 + resolution: "@sigstore/protobuf-specs@npm:0.4.0" + checksum: 10/b267b24c8aa66579de887192d7e7c5feae6cbe75c1911b217cae91dad9e9a3b230556c611775a1845e8f8f1e378b0821ca6beb3877a819e64dd00b2f120a93f4 + languageName: node + linkType: hard + +"@sigstore/sign@npm:^3.1.0": + version: 3.1.0 + resolution: "@sigstore/sign@npm:3.1.0" + dependencies: + "@sigstore/bundle": "npm:^3.1.0" + "@sigstore/core": "npm:^2.0.0" + "@sigstore/protobuf-specs": "npm:^0.4.0" + make-fetch-happen: "npm:^14.0.2" + proc-log: "npm:^5.0.0" + promise-retry: "npm:^2.0.1" + checksum: 10/e0ce0aa52b572eefa06a8260a7329f349c56217f2bbb6f167259c6e02e148987073e0dddc5e3c40ea4aafc89b8b0176e2617fb16f9c8c50cf0c1437b6c90fca4 + languageName: node + linkType: hard + +"@sigstore/tuf@npm:^3.1.0": + version: 3.1.0 + resolution: "@sigstore/tuf@npm:3.1.0" + dependencies: + "@sigstore/protobuf-specs": "npm:^0.4.0" + tuf-js: "npm:^3.0.1" + checksum: 10/7040aaa8b05ab2ff62fec078ccb2ebfe8d96b862ad11dc4daebb707e11b72e424f54c55b6878b6a5b6b551afd1209078dc4140dda0f93c5b3afac7cc5fb9bb16 + languageName: node + linkType: hard + +"@sigstore/verify@npm:^2.1.0": + version: 2.1.0 + resolution: "@sigstore/verify@npm:2.1.0" + dependencies: + "@sigstore/bundle": "npm:^3.1.0" + "@sigstore/core": "npm:^2.0.0" + "@sigstore/protobuf-specs": "npm:^0.4.0" + checksum: 10/bb0a8472c80d27f0647106f18fe71112262bc13f21384c224c62bfd69e0672e0dd635537e7df566018d37f6604c437f162bcbdfe0a9d427d77541da7f36b51eb + languageName: node + linkType: hard + "@sinclair/typebox@npm:^0.24.1": version: 0.24.20 resolution: "@sinclair/typebox@npm:0.24.20" @@ -4254,6 +4312,23 @@ __metadata: languageName: node linkType: hard +"@tufjs/canonical-json@npm:2.0.0": + version: 2.0.0 + resolution: "@tufjs/canonical-json@npm:2.0.0" + checksum: 10/cc719a1d0d0ae1aa1ba551a82c87dcbefac088e433c03a3d8a1d547ea721350e47dab4ab5b0fca40d5c7ab1f4882e72edc39c9eae15bf47c45c43bcb6ee39f4f + languageName: node + linkType: hard + +"@tufjs/models@npm:3.0.1": + version: 3.0.1 + resolution: "@tufjs/models@npm:3.0.1" + dependencies: + "@tufjs/canonical-json": "npm:2.0.0" + minimatch: "npm:^9.0.5" + checksum: 10/00636238b2e3ce557e7b5f6884594ee2379fd5a9588401fd6c8be2e2867fcaf836e226c6be81d87006701746037847e13bbc263c0ed0f38b4f28b1108a4b1d81 + languageName: node + linkType: hard + "@types/acorn@npm:^4.0.0": version: 4.0.6 resolution: "@types/acorn@npm:4.0.6" @@ -5025,10 +5100,12 @@ __metadata: languageName: node linkType: hard -"@types/ssri@npm:^6.0.1": - version: 6.0.1 - resolution: "@types/ssri@npm:6.0.1" - checksum: 10/1917e8c0189b0bf430d126a715e89be5d184d3a21b13665f6be8bd76b97e5fdce697fc49b27fdde1198669c25e83aae01126ab458c752242ec49089746c74f5f +"@types/ssri@npm:^7.1.5": + version: 7.1.5 + resolution: "@types/ssri@npm:7.1.5" + dependencies: + "@types/node": "npm:*" + checksum: 10/5d83e8a3ec7d41ffebd89041cc8db692f66af72d2bf408b4d13089da39c3cde8f0225e22b738c912073cb913e9813b4e76e59ab6c3a5f970639cf5c88c294edd languageName: node linkType: hard @@ -6110,14 +6187,15 @@ __metadata: dependencies: "@types/lodash": "npm:^4.14.136" "@types/semver": "npm:^7.1.0" - "@types/ssri": "npm:^6.0.1" + "@types/ssri": "npm:^7.1.5" "@yarnpkg/core": "workspace:^" "@yarnpkg/fslib": "workspace:^" "@yarnpkg/plugin-pack": "workspace:^" enquirer: "npm:^2.3.6" lodash: "npm:^4.17.15" semver: "npm:^7.1.2" - ssri: "npm:^6.0.1" + sigstore: "npm:^3.1.0" + ssri: "npm:^12.0.0" tslib: "npm:^2.4.0" peerDependencies: "@yarnpkg/core": "workspace:^" @@ -8865,15 +8943,15 @@ __metadata: languageName: node linkType: hard -"debug@npm:4, debug@npm:^4.0.0, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.3, debug@npm:^4.3.4": - version: 4.3.4 - resolution: "debug@npm:4.3.4" +"debug@npm:4, debug@npm:^4.0.0, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.3, debug@npm:^4.3.4, debug@npm:^4.3.6": + version: 4.4.0 + resolution: "debug@npm:4.4.0" dependencies: - ms: "npm:2.1.2" + ms: "npm:^2.1.3" peerDependenciesMeta: supports-color: optional: true - checksum: 10/0073c3bcbd9cb7d71dd5f6b55be8701af42df3e56e911186dfa46fac3a5b9eb7ce7f377dd1d3be6db8977221f8eb333d945216f645cf56f6b688cd484837d255 + checksum: 10/1847944c2e3c2c732514b93d11886575625686056cd765336212dc15de2d2b29612b6cd80e1afba767bb8e1803b778caf9973e98169ef1a24a7a7009e1820367 languageName: node linkType: hard @@ -10734,13 +10812,6 @@ __metadata: languageName: node linkType: hard -"figgy-pudding@npm:^3.5.1": - version: 3.5.1 - resolution: "figgy-pudding@npm:3.5.1" - checksum: 10/07c23bc3884ab39bd2b40fce0a6f4011dbd66d04f88819dff749a6c1285974c6850a1908f0aed3adf694aec720a24d688a2451bb402460d8b90b190f673905da - languageName: node - linkType: hard - "file-entry-cache@npm:^8.0.0": version: 8.0.0 resolution: "file-entry-cache@npm:8.0.0" @@ -14376,6 +14447,18 @@ __metadata: languageName: node linkType: hard +"make-fetch-happen@portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A.": + version: 0.0.0-use.local + resolution: "make-fetch-happen@portal:packages/make-fetch-smaller::locator=%40yarnpkg%2Fmonorepo%40workspace%3A." + languageName: node + linkType: soft + +"make-fetch-smaller@workspace:packages/make-fetch-smaller": + version: 0.0.0-use.local + resolution: "make-fetch-smaller@workspace:packages/make-fetch-smaller" + languageName: unknown + linkType: soft + "makeerror@npm:1.0.12": version: 1.0.12 resolution: "makeerror@npm:1.0.12" @@ -15542,12 +15625,12 @@ __metadata: languageName: node linkType: hard -"minimatch@npm:^9.0.3, minimatch@npm:^9.0.4": - version: 9.0.4 - resolution: "minimatch@npm:9.0.4" +"minimatch@npm:^9.0.3, minimatch@npm:^9.0.4, minimatch@npm:^9.0.5": + version: 9.0.5 + resolution: "minimatch@npm:9.0.5" dependencies: brace-expansion: "npm:^2.0.1" - checksum: 10/4cdc18d112b164084513e890d6323370db14c22249d536ad1854539577a895e690a27513dc346392f61a4a50afbbd8abc88f3f25558bfbbbb862cd56508b20f5 + checksum: 10/dd6a8927b063aca6d910b119e1f2df6d2ce7d36eab91de83167dd136bb85e1ebff97b0d3de1cb08bd1f7e018ca170b4962479fefab5b2a69e2ae12cb2edc8348 languageName: node linkType: hard @@ -15618,6 +15701,13 @@ __metadata: languageName: node linkType: hard +"minipass@npm:^7.0.3": + version: 7.1.2 + resolution: "minipass@npm:7.1.2" + checksum: 10/c25f0ee8196d8e6036661104bacd743785b2599a21de5c516b32b3fa2b83113ac89a2358465bc04956baab37ffb956ae43be679b2262bf7be15fce467ccd7950 + languageName: node + linkType: hard + "minizlib@npm:^2.1.1, minizlib@npm:^2.1.2": version: 2.1.2 resolution: "minizlib@npm:2.1.2" @@ -15705,14 +15795,7 @@ __metadata: languageName: node linkType: hard -"ms@npm:2.1.2": - version: 2.1.2 - resolution: "ms@npm:2.1.2" - checksum: 10/673cdb2c3133eb050c745908d8ce632ed2c02d85640e2edb3ace856a2266a813b30c613569bf3354fdf4ea7d1a1494add3bfa95e2713baa27d0c2c71fc44f58f - languageName: node - linkType: hard - -"ms@npm:2.1.3, ms@npm:^2.0.0": +"ms@npm:2.1.3, ms@npm:^2.0.0, ms@npm:^2.1.3": version: 2.1.3 resolution: "ms@npm:2.1.3" checksum: 10/aa92de608021b242401676e35cfa5aa42dd70cbdc082b916da7fb925c542173e36bce97ea3e804923fe92c0ad991434e4a38327e15a1b5b5f945d66df615ae6d @@ -17404,6 +17487,13 @@ pem@dexus/pem: languageName: node linkType: hard +"proc-log@npm:^5.0.0": + version: 5.0.0 + resolution: "proc-log@npm:5.0.0" + checksum: 10/35610bdb0177d3ab5d35f8827a429fb1dc2518d9e639f2151ac9007f01a061c30e0c635a970c9b00c39102216160f6ec54b62377c92fac3b7bfc2ad4b98d195c + languageName: node + linkType: hard + "process-nextick-args@npm:~2.0.0": version: 2.0.0 resolution: "process-nextick-args@npm:2.0.0" @@ -19314,6 +19404,20 @@ pem@dexus/pem: languageName: node linkType: hard +"sigstore@npm:^3.1.0": + version: 3.1.0 + resolution: "sigstore@npm:3.1.0" + dependencies: + "@sigstore/bundle": "npm:^3.1.0" + "@sigstore/core": "npm:^2.0.0" + "@sigstore/protobuf-specs": "npm:^0.4.0" + "@sigstore/sign": "npm:^3.1.0" + "@sigstore/tuf": "npm:^3.1.0" + "@sigstore/verify": "npm:^2.1.0" + checksum: 10/fc2a38d11bd0e02b5dc8271e906ba7ea1aaa3dc19010dc6d29602b900532fa16b132cd6c80ec1c294f201f81f1277fb351020d0c65b6a62968f229db0b6c5a4f + languageName: node + linkType: hard + "simple-concat@npm:^1.0.0": version: 1.0.0 resolution: "simple-concat@npm:1.0.0" @@ -19646,12 +19750,12 @@ pem@dexus/pem: languageName: node linkType: hard -"ssri@npm:^6.0.1": - version: 6.0.1 - resolution: "ssri@npm:6.0.1" +"ssri@npm:^12.0.0": + version: 12.0.0 + resolution: "ssri@npm:12.0.0" dependencies: - figgy-pudding: "npm:^3.5.1" - checksum: 10/aa85bffceda5f005e094b43a59627a1bfc47c6df017f562b447e1d23e70c7d86aa2029ac0bc53b222a9f27bdf415ac2c39c7dbf99613cebef13ecf55f0966137 + minipass: "npm:^7.0.3" + checksum: 10/7024c1a6e39b3f18aa8f1c8290e884fe91b0f9ca5a6c6d410544daad54de0ba664db879afe16412e187c6c292fd60b937f047ee44292e5c2af2dcc6d8e1a9b48 languageName: node linkType: hard @@ -20418,6 +20522,17 @@ pem@dexus/pem: languageName: node linkType: hard +"tuf-js@npm:^3.0.1": + version: 3.0.1 + resolution: "tuf-js@npm:3.0.1" + dependencies: + "@tufjs/models": "npm:3.0.1" + debug: "npm:^4.3.6" + make-fetch-happen: "npm:^14.0.1" + checksum: 10/880219a55e9575fcbf2c15129284a13d093fb2a053874151df59b11511d1ba097df359deae7b4e731b16fc3abd8fceda5125a167ec0d16eb926a32b8f778faa8 + languageName: node + linkType: hard + "tunnel-agent@npm:^0.6.0": version: 0.6.0 resolution: "tunnel-agent@npm:0.6.0"