CHANGELOG.md

Changelog

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@wraithgar)
• b741e8b #468 bump @npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@dependabot[bot], @npm-cli-bot)

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@wraithgar)

Bug Fixes

• ab37bc1 #452 prevent path duplication in attestation URL for registries with … (#452) (@ajayk)
• ab37bc1 #452 prevent path duplication in attestation URL for registries with (@ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@ajayk)

Chores

• 0dfd1cd #456 remove git config from tests (#456) (@wraithgar)

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@wraithgar)

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@wraithgar)

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@wraithgar)

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@wraithgar)

21.0.4 (2025-11-13)

Dependencies

• edbcc02 #436 proc-log@6.0.0
• 8dc1f22 #436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #436 ssri@13.0.0
• a23fb17 #436 @npmcli/promise-spawn@9.0.0

Chores

• ff261aa #436 @npmcli/eslint-config@6.0.0 (@wraithgar)
• 2bba862 #436 @npmcli/template-oss@4.28.0 (@wraithgar)

21.0.3 (2025-09-17)

Dependencies

• eed1bd5 #431 @npmcli/git@7.0.0 (#431)

21.0.2 (2025-09-17)

Dependencies

• 32cb6d1 #429 npm-pick-manifest@11.0.1 (#429)

21.0.1 (2025-09-02)

Dependencies

• aae7798 #428 @npmcli/run-script@10.0.0
• 1b233e3 #428 @npmcli/package-json@7.0.0
• d4b97ec #428 sigstore@4.0.0
• cf27487 #428 npm-registry-fetch@19.0.0
• 3e89235 #428 npm-packlist@10.0.1
• d46fc27 #428 npm-package-arg@13.0.0
• 2a6a9f0 #428 hosted-git-info@9.0.0
• bbb72cf #428 cacache@20.0.0
• 8a642c0 #426 tar@7.4.3 (#426)

Chores

• f81d8ed #417 bump @npmcli/arborist from 8.0.0 to 9.0.0 (#417) (@dependabot[bot])
• 0310b7b #422 tests should not inherit --ignore-scripts flag from `npm run t… (#422) (@owlstronaut)

21.0.0 (2024-11-25)

⚠️ BREAKING CHANGES

• bun.lockb files are now included in the strict ignore list during packing
• this module is now compatible with the following node versions: ^20.17.0 || >=22.9.0

Bug Fixes

• 844dc08 update node engines to ^20.17.0 || >=22.9.0 (#414) (@wraithgar)

Dependencies

• 2cb6fa7 #415 npm-packlist@10.0.0 (#415)
• 47b928c #412 replace node builtin rmSync with rimraf (#412) (@mbtools)

Chores

• b6f35a2 #402 bump @npmcli/arborist from 7.5.4 to 8.0.0 (#402) (@dependabot[bot])
• 1ef54ba #408 support tests on win32 (#408) (@mbtools)
• 555b000 #401 bump @npmcli/template-oss from 4.23.3 to 4.23.4 (#401) (@dependabot[bot], @npm-cli-bot)

20.0.0 (2024-10-17)

⚠️ BREAKING CHANGES

• honors ignoreScripts property within options

Bug Fixes

• f27af63 #407 honors ignoreScripts option to prevent prepare lifecycle script (@reggi)

19.0.1 (2024-10-15)

Bug Fixes

• cbf94e8 #389 prepare script respects scriptshell config (#389) (@milaninfy)
• 2b2948f #403 log tarball retrieval from cache (#403) (@mbtools, @wraithgar)

Dependencies

• a9fc4d1 #405 bump sigstore from 2.2.0 to 3.0.0 (#405) (@bdehamer)

19.0.0 (2024-09-27)

⚠️ BREAKING CHANGES

• pacote now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 03b31ca #392 align to npm 10 node engine range (@reggi)

Dependencies

• f055f71 #395 bump npm-pick-manifest from 9.1.0 to 10.0.0 (#395) (@dependabot[bot])
• 932b9ab #396 bump @npmcli/package-json from 5.2.1 to 6.0.0 (#396) (@dependabot[bot])
• a1621f9 #397 bump npm-registry-fetch from 17.1.0 to 18.0.0 (#397) (@dependabot[bot])
• c776199 #398 bump cacache from 18.0.4 to 19.0.0 (#398) (@dependabot[bot])
• 6d59022 #399 bump @npmcli/git from 5.0.8 to 6.0.0 (#399)
• 21ea2d4 #400 bump @npmcli/run-script from 8.1.0 to 9.0.0 (#400)
• eddbc01 #392 ssri@12.0.0
• 6c672e9 #392 proc-log@5.0.0
• 03ba2a2 #392 npm-packlist@9.0.0
• 2710286 #392 npm-package-arg@12.0.0
• aa0bd4a #392 @npmcli/promise-spawn@8.0.0
• df23343 #392 @npmcli/installed-package-contents@3.0.0

Chores

• e4ed5cd #392 bump hosted-git-info ^7.0.0 to ^8.0.0 (@reggi)
• 2871f56 #392 run template-oss-apply (@reggi)
• 39643f1 #382 bump @npmcli/eslint-config from 4.0.5 to 5.0.0 (@dependabot[bot])
• 7e33c82 #383 postinstall for dependabot template-oss PR (@hashtagchris)
• e4e07bf #383 bump @npmcli/template-oss from 4.23.1 to 4.23.3 (@dependabot[bot])

18.0.6 (2024-05-07)

Bug Fixes

• 79441a5 #371 clean up requires (#371) (@wraithgar)
• b19aacb #369 isolate full and corgi packuments in packumentCache (#369) (@wraithgar)

18.0.5 (2024-05-06)

Bug Fixes

• 5e75582 #368 dont set _contentLength if not in headers (#368) (@lukekarrys)
• 1b6950b #365 move bin to its own directory (@lukekarrys)
• 1b6950b #365 refactor: symbol cleanup (#365) (@lukekarrys)

18.0.4 (2024-05-04)

Bug Fixes

• 5fd2c80 #363 linting: no-unused-vars (@lukekarrys)

Chores

• d867639 #363 bump @npmcli/template-oss to 4.22.0 (@lukekarrys)
• a235f37 #363 postinstall for dependabot template-oss PR (@lukekarrys)

18.0.3 (2024-04-30)

Dependencies

• 5ecce7a #360 npm-registry-fetch@17.0.0 (#360)

18.0.2 (2024-04-24)

Bug Fixes

• 116b277 #358 don't strip underscore attributes in .manifest() (#358) (@wraithgar)

18.0.1 (2024-04-23)

Bug Fixes

• b547e0d #356 use @npmcli/package-json (#356) (@lukekarrys)

18.0.0 (2024-04-15)

⚠️ BREAKING CHANGES

• The silent option was used to control whether @npmcli/run-script would write a banner via console.log. Now ouput will be emitted via an process.emit('output').

Features

• 0c04569 #352 remove silent option (@lukekarrys)

Dependencies

• cb3abc2 #352 bump @npmcli/run-script from 7.0.4 to 8.0.0 (@dependabot[bot])

Chores

• 7089bb1 #355 postinstall for dependabot template-oss PR (@lukekarrys)
• 4952672 #355 bump @npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

17.0.7 (2024-04-12)

Dependencies

• e07c3e5 #350 proc-log@4.0.0 (#350)

17.0.6 (2024-01-16)

Dependencies

• 0a5920f #343 bump sigstore from 2.0.0 to 2.2.0 (#343) (@bdehamer)

Chores

• 6fd23ad #342 postinstall for dependabot template-oss PR (@lukekarrys)
• c3b398a #342 bump @npmcli/template-oss from 4.21.1 to 4.21.3 (@dependabot[bot])
• 4557919 #337 postinstall for dependabot template-oss PR (@lukekarrys)
• c7e293c #337 bump @npmcli/template-oss from 4.19.0 to 4.21.1 (@dependabot[bot])

17.0.5 (2023-12-01)

Bug Fixes

• 0c96b9e #338 bug to support rotated keys in signature/attestation audit (#338) (@feelepxyz)

17.0.4 (2023-08-30)

Dependencies

• ba8f790 #309 bump @npmcli/promise-spawn from 6.0.2 to 7.0.0
• 2c0d3ae #308 bump @npmcli/run-script from 6.0.2 to 7.0.0

17.0.3 (2023-08-24)

Dependencies

• ace7c28 #305 bump npm-packlist from 7.0.4 to 8.0.0

17.0.2 (2023-08-18)

Dependencies

• c3b892d #303 bump sigstore from 1.3.0 to 2.0.0

17.0.1 (2023-08-15)

Dependencies

• 6ddae13 #302 bump npm-registry-fetch from 15.0.0 to 16.0.0
• 42bf787 #300 bump npm-pick-manifest from 8.0.2 to 9.0.0

17.0.0 (2023-08-15)

⚠️ BREAKING CHANGES

• support for node <=16.13 has been removed

Bug Fixes

• 2db2fb5 #296 drop node 16.13.x support (@lukekarrys)

Dependencies

• e9e964b #299 bump read-package-json from 6.0.4 to 7.0.0
• 5d26500 #298 bump npm-package-arg from 10.1.0 to 11.0.0
• d13bb9c #294 bump @npmcli/git from 4.1.0 to 5.0.0
• 7a25e39 #293 bump cacache from 17.1.4 to 18.0.0

16.0.0 (2023-07-28)

⚠️ BREAKING CHANGES

• the underlying fetch module now uses @npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.
• support for node 14 has been removed

Bug Fixes

• 73b6297 #290 drop node14 support (#290) (@wraithgar)

Dependencies

• 8dc6a32 bump minipass from 5.0.0 to 7.0.2
• 7cebf19 bump npm-registry-fetch from 14.0.5 to 15.0.0

15.2.0 (2023-05-03)

Features

• 3307ad9 #278 configurable TUF cache dir (#278) (@bdehamer)

15.1.3 (2023-04-27)

Dependencies

• c99db13 #271 bump minipass from 4.2.7 to 5.0.0 (#271)

15.1.2 (2023-04-20)

Documentation

• 43363dd #266 update dist details (#266) (@wraithgar)

Dependencies

• d5cb3df #276 sigstore@1.3.0 (#276)
• c231986 #267 sigstore@^1.1.0

15.1.1 (2023-02-21)

Bug Fixes

• 8f4e39c #261 always ignore ownership from tar headers (#261) (@nlf)

15.1.0 (2023-02-13)

Features

• 2916b72 #259 verifyAttestations to registry.manifest (@feelepxyz, @bdehamer)

Dependencies

• f0bd19b add sigstore 1.0.0

15.0.8 (2022-12-14)

Dependencies

• 40aa6fe #253 bump fs-minipass from 2.1.0 to 3.0.0

15.0.7 (2022-12-07)

Dependencies

• a734d61 #250 bump minipass from 3.3.6 to 4.0.0

15.0.6 (2022-11-02)

Dependencies

• dbbda43 #246 @npmcli/run-script@6.0.0

15.0.5 (2022-11-01)

Dependencies

• 63797a8 #244 bump @npmcli/promise-spawn from 5.0.0 to 6.0.1 (#244)

15.0.4 (2022-10-26)

Dependencies

• 854fad1 #239 bump @npmcli/promise-spawn from 4.0.0 to 5.0.0 (#239)

15.0.3 (2022-10-19)

Dependencies

• 2a95ddb #235 bump @npmcli/installed-package-contents (#235)

15.0.2 (2022-10-18)

Bug Fixes

• 95f9cd5 handle new npm-package-arg semantics (@wraithgar)

Dependencies

• 2ed4d22 npm-package-arg@10.0.0

15.0.1 (2022-10-17)

Dependencies

• 74821c2 #229 bump @npmcli/run-script from 4.2.1 to 5.0.0 (#229)
• a9844d0 #226 bump @npmcli/promise-spawn from 3.0.0 to 4.0.0 (#226)
• 1058177 #227 bump read-package-json from 5.0.2 to 6.0.0
• 0f5ef8a #228 bump @npmcli/installed-package-contents from 1.0.7 to 2.0.0
• 7e3b4b5 #220 bump ssri from 9.0.1 to 10.0.0
• 4e7536d #222 bump @npmcli/git from 3.0.2 to 4.0.0
• 3bc7550 #223 bump npm-pick-manifest from 7.0.2 to 8.0.0
• 41fab27 #224 bump proc-log from 2.0.1 to 3.0.0
• 4abf24a #218 bump npm-registry-fetch from 13.3.1 to 14.0.0 (#218)

15.0.0 (2022-10-13)

⚠️ BREAKING CHANGES

• this package no longer attempts to change file ownership automatically

Features

• 43ae022 #216 do not alter file ownership (#216) (@nlf)

Dependencies

• 2ac3980 #213 bump read-package-json-fast from 2.0.3 to 3.0.0

14.0.0 (2022-10-05)

Features

• ee16f1f #207 set as release (@fritzy)

14.0.0-pre.3 (2022-09-28)

⚠️ BREAKING CHANGES

• a @npmcli/arborist constructor must be passed in if no tree is provided and pacote is going to operate on git dependencies.

Features

• d6ef5dc #204 require arborist constructor to be passed in for preparing git dirs (#204) (@lukekarrys)

14.0.0-pre.2 (2022-09-27)

⚠️ BREAKING CHANGES

• pacote now has a peer dependency on @npmcli/arborist.

Features

• d3517fd #202 pacote now optionally takes a tree when preparing directories (@lukekarrys)

14.0.0-pre.1 (2022-09-22)

⚠️ BREAKING CHANGES

• the _cached attribute has been removed from packuments.

Bug Fixes

• 8ca3751 #175 packument: eliminate _cached field (#175) (@jablko)

14.0.0-pre.0 (2022-09-21)

⚠️ BREAKING CHANGES

• npm-packlist@6.0.0
• pacote is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Features

• 72e9be4 #197 postinstall for dependabot template-oss PR (@lukekarrys)

Dependencies

• 1216ec6 #200 npm-packlist@6.0.0

13.6.2 (2022-08-16)

Bug Fixes

• linting (#187) (cf1c5ed)

13.6.1 (2022-06-21)

Dependencies

• bump @npmcli/run-script from 3.0.3 to 4.1.0 (#185) (d0459ec)

13.6.0 (2022-06-01)

Features

• allow reuse of external integrity stream (fdb9e5a)
• replaceRegistryHost can now be a hostname (#177) (a9a4cdd)

Bug Fixes

• error when passing signature without keys (#176) (d69e524)

Documentation

• add some fields to the README (#180) (f356cb2)

13.5.0 (2022-05-25)

Features

• bump npm-packlist for workspace awareness (#178) (316059b)

13.4.1 (2022-05-19)

Bug Fixes

• pass prefix and workspaces to npm-packlist (#173) (6de3a2b)

13.4.0 (2022-05-17)

Features

• add verifySignatures to registry.manifest (#170) (4401c58)

13.3.0 (2022-05-04)

Features

• add _signatures to manifest (3ae73f2)

13.2.0 (2022-05-02)

Features

• add always option to replaceRegistryHost (#164) (edd1ee5)

13.1.1 (2022-04-06)

Dependencies

• bump npm-packlist from 4.0.0 to 5.0.0 (#159) (d7f07d6)

13.1.0 (2022-04-05)

Features

• add option to not replace magic registry host (#143) (f519cf4)

13.0.6 (2022-04-05)

Bug Fixes

• replace deprecated String.prototype.substr() (e307e17)

Dependencies

• bump @npmcli/promise-spawn from 1.3.2 to 3.0.0 (#154) (9a0ec63)
• bump ssri from 8.0.1 to 9.0.0 (#157) (0993b18)

13.0.5 (2022-03-15)

Dependencies

• bump read-package-json from 4.1.2 to 5.0.0 (#138) (f28c891)

13.0.4 (2022-03-14)

Dependencies

• bump cacache from 15.3.0 to 16.0.0 (#136) (ed3a069)
• bump npm-packlist from 3.0.0 to 4.0.0 (#132) (1634e9d)
• update @npmcli/run-script requirement from ^3.0.0 to ^3.0.1 (#130) (7c84792)
• update npm-registry-fetch requirement from ^13.0.0 to ^13.0.1 (#129) (d639ed6)
• update read-package-json requirement from ^4.1.1 to ^4.1.2 (#134) (31093a1)

13.0.3 (2022-02-23)

Bug Fixes

• ignore integrity values for git dependencies (#123) (3417714)

Dependencies

• bump @npmcli/run-script from 2.0.0 to 3.0.0 (#124) (6026b73)

13.0.2 (2022-02-16)

Bug Fixes

• run prepack lifecycle scripts on git fetcher (#121) (82d8afc)

Dependencies

• bump @npmcli/git from 2.1.0 to 3.0.0 (#120) (56d0c62)

13.0.1 (2022-02-16)

Bug Fixes

• reify git dependencies that have workspaces (#103) (08348fa)

Dependencies

• bump npm-registry-fetch from 12.0.2 to 13.0.0 (#118) (25eeb97)

13.0.0 (2022-02-14)

⚠ BREAKING CHANGES

• It replaces the only use of npmlog.level with a boolean silent which is now used to to suppress @npmcli/run-script banners instead.

Features

• add fullReadJson option (#101) (2ddf67f)
• use proc-log and drop support for log property (#104) (26e01b0)

Dependencies

• bump npm-package-arg from 8.1.5 to 9.0.0 (#113) (5b3b82d)
• bump npm-pick-manifest from 6.1.1 to 7.0.0 (3940b46)
• update @npmcli/installed-package-contents requirement (0413eff)
• update cacache requirement from ^15.0.5 to ^15.3.0 (#112) (0321cf0)
• update minipass requirement from ^3.1.3 to ^3.1.6 (#115) (9548c8c)
• update mkdirp requirement from ^1.0.3 to ^1.0.4 (c204aa2)
• update npm-registry-fetch requirement from ^12.0.0 to ^12.0.2 (97e7ab5)
• update read-package-json-fast requirement from ^2.0.1 to ^2.0.3 (be32161)
• update tar requirement from ^6.1.0 to ^6.1.11 (#107) (650e188)