deps: bump pacote from 21.5.1 to 22.0.0 by dependabot[bot] · Pull Request #1121 · npm/statusboard

dependabot · 2026-06-22T09:33:30Z

Bumps pacote from 21.5.1 to 22.0.0.

Release notes

v22.0.0

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

09316f5 #504 bump to new node engine range (@owlstronaut)

2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@manzoorwanijk)

66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@ljharb)

Bug Fixes

ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@owlstronaut)

1f5f131 #494 pass --global=false when preparing git dependencies (@owlstronaut)

e0af7f6 #486 respect ignoreScripts option for git dependencies (@owlstronaut)

12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@babyhuey)

61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@j1mb0-1)

6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@oldium)

Dependencies

371e8b0 #504 ssri@14.0.0

b68c6c2 #504 sigstore@5.0.0

57793ab #504 proc-log@7.0.0

33eacc9 #504 npm-registry-fetch@20.0.1

a131916 #504 npm-pick-manifest@12.0.0

2b03527 #504 npm-packlist@11.2.0

5f8ad42 #504 npm-package-arg@14.0.0

ee3b96d #504 cacache@21.0.1

033f655 #504 @npmcli/run-script@11.0.0

ddcc738 #504 @npmcli/promise-spawn@10.0.0

6a28eb2 #504 @npmcli/package-json@8.0.0

5879416 #504 @npmcli/installed-package-contents@5.0.0

41ea727 #504 @npmcli/git@8.0.0

Chores

3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@owlstronaut)

7350ab8 #504 hosted-git-info@10.1.1 (@owlstronaut)

c7c7d7f #504 template-oss-apply (@owlstronaut)

e9ac85e #501 template-oss-apply (@owlstronaut)

e184356 #501 template-oss@5.1.0 (@owlstronaut)

644ebb6 #479 template-oss-apply (@owlstronaut)

ee64bea #479 @npmcli/template-oss@4.30.0 (@owlstronaut)

Changelog

Sourced from pacote's changelog.

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

09316f5 #504 bump to new node engine range (@owlstronaut)

2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@manzoorwanijk)

66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@ljharb)

Bug Fixes

ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@owlstronaut)

1f5f131 #494 pass --global=false when preparing git dependencies (@owlstronaut)

e0af7f6 #486 respect ignoreScripts option for git dependencies (@owlstronaut)

12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@babyhuey)

61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@j1mb0-1)

6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@oldium)

Dependencies

371e8b0 #504 ssri@14.0.0

b68c6c2 #504 sigstore@5.0.0

57793ab #504 proc-log@7.0.0

33eacc9 #504 npm-registry-fetch@20.0.1

a131916 #504 npm-pick-manifest@12.0.0

2b03527 #504 npm-packlist@11.2.0

5f8ad42 #504 npm-package-arg@14.0.0

ee3b96d #504 cacache@21.0.1

033f655 #504 @npmcli/run-script@11.0.0

ddcc738 #504 @npmcli/promise-spawn@10.0.0

6a28eb2 #504 @npmcli/package-json@8.0.0

5879416 #504 @npmcli/installed-package-contents@5.0.0

41ea727 #504 @npmcli/git@8.0.0

Chores

3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@owlstronaut)

7350ab8 #504 hosted-git-info@10.1.1 (@owlstronaut)

c7c7d7f #504 template-oss-apply (@owlstronaut)

e9ac85e #501 template-oss-apply (@owlstronaut)

e184356 #501 template-oss@5.1.0 (@owlstronaut)

644ebb6 #479 template-oss-apply (@owlstronaut)

ee64bea #479 @npmcli/template-oss@4.30.0 (@owlstronaut)

21.5.0 (2026-03-09)

Features

d912f17 #457 expose fetched attestation bundles on manifest (#457) (@mitchdenny)

Chores

586a55d #471 template-oss-apply for new macos images (#471) (@wraithgar)

d1cc5c8 #460 template-oss-apply for release branches (#460) (@wraithgar)

b741e8b #468 bump @npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@dependabot[bot], @npm-cli-bot)

21.4.0 (2026-02-24)

Features

6912f24 #451 add allowRegistry option (#451) (@wraithgar)

Bug Fixes

... (truncated)

Commits

e4e44c5 chore: release 22.0.0 (#480)
3fc5fd4 chore: @npmcli/eslint-config@7.0.0
371e8b0 deps: ssri@14.0.0
b68c6c2 deps: sigstore@5.0.0
57793ab deps: proc-log@7.0.0
33eacc9 deps: npm-registry-fetch@20.0.1
a131916 deps: npm-pick-manifest@12.0.0
2b03527 deps: npm-packlist@11.2.0
5f8ad42 deps: npm-package-arg@14.0.0
7350ab8 chore: hosted-git-info@10.1.1
Additional commits viewable in compare view

Bumps [pacote](https://github.com/npm/pacote) from 21.5.1 to 22.0.0. - [Release notes](https://github.com/npm/pacote/releases) - [Changelog](https://github.com/npm/pacote/blob/main/CHANGELOG.md) - [Commits](npm/pacote@v21.5.1...v22.0.0) --- updated-dependencies: - dependency-name: pacote dependency-version: 22.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the Dependencies Pull requests that update a dependency file label Jun 22, 2026

dependabot Bot requested a review from a team as a code owner June 22, 2026 09:33

dependabot Bot added the Dependencies Pull requests that update a dependency file label Jun 22, 2026

dependabot Bot temporarily deployed to github-pages June 22, 2026 09:34 Inactive

dependabot Bot force-pushed the dependabot/npm_and_yarn/main/pacote-22.0.0 branch from 990a67d to e4e670b Compare June 22, 2026 12:46

dependabot Bot temporarily deployed to github-pages June 22, 2026 12:46 Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

deps: bump pacote from 21.5.1 to 22.0.0#1121

deps: bump pacote from 21.5.1 to 22.0.0#1121
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/pacote-22.0.0

dependabot Bot commented on behalf of github Jun 22, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v22.0.0

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

Features

Bug Fixes

Dependencies

Chores

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

Features

Bug Fixes

Dependencies

Chores

21.5.0 (2026-03-09)

Features

Chores

21.4.0 (2026-02-24)

Features

Bug Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 22, 2026 •

edited

Loading