chore(deps): bump sigstore and semantic-release in /plugins/shopify-demo#4702
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump sigstore and semantic-release in /plugins/shopify-demo#4702dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [sigstore](https://github.com/sigstore/sigstore-js) to 4.1.1 and updates ancestor dependency [semantic-release](https://github.com/semantic-release/semantic-release). These dependencies need to be updated together. Updates `sigstore` from 1.2.0 to 4.1.1 - [Release notes](https://github.com/sigstore/sigstore-js/releases) - [Commits](https://github.com/sigstore/sigstore-js/compare/@sigstore/verify@1.2.0...sigstore@4.1.1) Updates `semantic-release` from 21.0.1 to 25.0.7 - [Release notes](https://github.com/semantic-release/semantic-release/releases) - [Commits](semantic-release/semantic-release@v21.0.1...v25.0.7) --- updated-dependencies: - dependency-name: sigstore dependency-version: 4.1.1 dependency-type: indirect - dependency-name: semantic-release dependency-version: 25.0.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
View your CI Pipeline Execution ↗ for commit 6134033
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗ ☁️ Nx Cloud last updated this comment at |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps sigstore to 4.1.1 and updates ancestor dependency semantic-release. These dependencies need to be updated together.
Updates
sigstorefrom 1.2.0 to 4.1.1Release notes
Sourced from sigstore's releases.
... (truncated)
Commits
c1dc7d4Version Packages (#1607)f074710reject integratedTime w/o inclusionPromise (#1659)7845532OID certificate extension verification (#1658)b5aa4f1proper utf-8 encoding in DSSE PAE (#1657)c7a34e0clarify cert ID matching (#1656)9858bd7Upgrade TypeScript to 6.x (#1655)8cef20dbump qs from 6.15.1 to 6.15.2 (#1654)aca341bbump@sigstore/mockdeps (#1653)0855acaPin all@swc/coreplatform binaries as optionalDependencies (#1652)44a374dPin all@swc/coreplatform binaries as optionalDependencies (#1650)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for sigstore since your current version.
Updates
semantic-releasefrom 21.0.1 to 25.0.7Release notes
Sourced from semantic-release's releases.
... (truncated)
Commits
c46dbdafix: argument Injection via repositoryUrl in package.json (#4245)7abb562chore(deps): update npm to v12 (#4244)8b15865chore(deps): update dependency@types/nodeto v24.13.3 (#4243)8e28dd3fix: ensure encoded secrets get maskedf293647Merge commit from forka973d20ci(action): update github/codeql-action action to v4.37.0 (#4241)c62136fchore(deps): update dependency mockserver-client to v7.4.0 (#4240)9be3e6cchore(deps): lock file maintenance (#4239)3259ebbchore(deps): update dependency got to v15.1.0 (#4238)1c17eb5chore(deps): update dependency mockserver-client to v7.3.0 (#4237)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for semantic-release since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Dev-only dependency and lockfile changes in a demo plugin; no production runtime or auth logic touched, though CI/release jobs should still run on a Node version compatible with semantic-release 25.
Overview
Dependency-only update in
plugins/shopify-demofor release tooling:semantic-releaseis raised from 21.x to 25.0.7 (directdevDependency), andpackage-lock.jsonis refreshed so transitivesigstoremoves from 1.2.0 to 4.1.1 (pulled in via npm/pacote paths used by the release stack).There are no changes to plugin source, build config, or runtime dependencies—only lockfile/
devDependencyversions. The newer semantic-release line includes security fixes (e.g.repositoryUrlargument injection, improved secret masking); sigstore 4.x tightens verification behavior and drops Node 18 in that library, but it affects install/publish tooling, not the shipped Shopify demo bundle.Reviewed by Cursor Bugbot for commit 6134033. Bugbot is set up for automated code reviews on this repo. Configure here.