chore(deps): bump the dependencies group with 2 updates

[dependabot]

Bumps the dependencies group with 2 updates: pacote and @npmcli/arborist.

Updates pacote from 21.5.1 to 22.0.0

Release notes

Sourced from pacote's releases.

v22.0.0

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@​manzoorwanijk)
• 66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@​owlstronaut)
• 1f5f131 #494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@​oldium)

Dependencies

• 371e8b0 #504 ssri@14.0.0
• b68c6c2 #504 sigstore@5.0.0
• 57793ab #504 proc-log@7.0.0
• 33eacc9 #504 npm-registry-fetch@20.0.1
• a131916 #504 npm-pick-manifest@12.0.0
• 2b03527 #504 npm-packlist@11.2.0
• 5f8ad42 #504 npm-package-arg@14.0.0
• ee3b96d #504 cacache@21.0.1
• 033f655 #504 @npmcli/run-script@11.0.0
• ddcc738 #504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #504 @npmcli/package-json@8.0.0
• 5879416 #504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #504 template-oss-apply (@​owlstronaut)
• e9ac85e #501 template-oss-apply (@​owlstronaut)
• e184356 #501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #479 template-oss-apply (@​owlstronaut)
• ee64bea #479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

Changelog

Sourced from pacote's changelog.

22.0.0 (2026-06-15)

⚠️ BREAKING CHANGES

• pacote now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• git specs using the https or git+https protocol now resolve to git+https URLs instead of being switched to git+ssh. Shortcut specs (e.g. github:user/repo, user/repo) and git+ssh/git:// specs are unchanged.

Features

• 09316f5 #504 bump to new node engine range (@​owlstronaut)
• 2ab74b0 #497 strip patchedDependencies from the packed package.json (#497) (@​manzoorwanijk)
• 66e7ea7 #487 forward globalIgnoreFile option to npm-packlist (@​ljharb)

Bug Fixes

• ce804fb #498 avoid ReDoS in addGitSha committish stripping (#498) (@​owlstronaut)
• 1f5f131 #494 pass --global=false when preparing git dependencies (@​owlstronaut)
• e0af7f6 #486 respect ignoreScripts option for git dependencies (@​owlstronaut)
• 12c8c8f #481 fall back to git clone when tarball response is not a valid archive (@​babyhuey)
• 61f065a #481 use statusCode instead of constructor name for tarball fallback in git fetcher (@​j1mb0-1)
• 6d160c1 #434 do not switch to git+ssh for https repository links (#434) (@​oldium)

Dependencies

• 371e8b0 #504 ssri@14.0.0
• b68c6c2 #504 sigstore@5.0.0
• 57793ab #504 proc-log@7.0.0
• 33eacc9 #504 npm-registry-fetch@20.0.1
• a131916 #504 npm-pick-manifest@12.0.0
• 2b03527 #504 npm-packlist@11.2.0
• 5f8ad42 #504 npm-package-arg@14.0.0
• ee3b96d #504 cacache@21.0.1
• 033f655 #504 @npmcli/run-script@11.0.0
• ddcc738 #504 @npmcli/promise-spawn@10.0.0
• 6a28eb2 #504 @npmcli/package-json@8.0.0
• 5879416 #504 @npmcli/installed-package-contents@5.0.0
• 41ea727 #504 @npmcli/git@8.0.0

Chores

• 3fc5fd4 #504 @npmcli/eslint-config@7.0.0 (@​owlstronaut)
• 7350ab8 #504 hosted-git-info@10.1.1 (@​owlstronaut)
• c7c7d7f #504 template-oss-apply (@​owlstronaut)
• e9ac85e #501 template-oss-apply (@​owlstronaut)
• e184356 #501 template-oss@5.1.0 (@​owlstronaut)
• 644ebb6 #479 template-oss-apply (@​owlstronaut)
• ee64bea #479 @npmcli/template-oss@4.30.0 (@​owlstronaut)

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

... (truncated)

Commits

• e4e44c5 chore: release 22.0.0 (#480)
• 3fc5fd4 chore: @​npmcli/eslint-config@​7.0.0
• 371e8b0 deps: ssri@14.0.0
• b68c6c2 deps: sigstore@5.0.0
• 57793ab deps: proc-log@7.0.0
• 33eacc9 deps: npm-registry-fetch@20.0.1
• a131916 deps: npm-pick-manifest@12.0.0
• 2b03527 deps: npm-packlist@11.2.0
• 5f8ad42 deps: npm-package-arg@14.0.0
• 7350ab8 chore: hosted-git-info@10.1.1
• Additional commits viewable in compare view

Updates @npmcli/arborist from 9.7.0 to 9.8.0

Release notes

Sourced from @​npmcli/arborist's releases.

arborist: v9.8.0

9.8.0 (2026-06-11)

Features

• ae8ac4e #9534 add min-release-age-exclude config (@​JamieMagee, @​caseyjhol)
• 8ff3e48 #9483 allowScripts tooling and inBundle hardening (#9483) (@​github-actions[bot], @​JamieMagee)

Bug Fixes

• fc5573a #9530 keep nested file: deps and re-resolve changed git refs (#9530) (@​github-actions[bot], @​owlstronaut)
• b13ee4d #9511 arborist: honor allow-remote=root for root-direct remote tarballs (#9511) (@​github-actions[bot], @​manzoorwanijk)
• 66408d7 #9500 arborist: apply registry-tarball allow-remote exemption in linked strategy (#9500) (@​github-actions[bot], @​manzoorwanijk)
• 4fa81df #9497 recognize allowScripts for local link targets (#9497) (@​github-actions[bot], @​cyphercodes, @​cyphercodes)
• 95cf2e9 #9489 validate registry path for allow-remote tarballs (@​Abhinav-143x)
• 869cb9a #9485 arborist: link meta-only optional peers in linked strategy (@​manzoorwanijk)
• d41a9e3 #9484 arborist: clean up orphaned scoped store entries in linked strategy (@​manzoorwanijk)
• 39d034d #9455 sanitize package name in linked-strategy path construction (@​owlstronaut)
• d59c964 #9451 reject path traversal entries when inflating dependency shrinkwraps (@​owlstronaut)
• c9045d5 #9429 arborist: read install scripts from disk on lockfile installs instead of a sentinel (@​JamieMagee)

Changelog

Sourced from @​npmcli/arborist's changelog.

9.8.0 (2023-07-05)

Features

• 67459e7 #6626 add pkg fix subcommand (@​wraithgar)
• 89b2741 #6548 add ps1 scripts (#6548) (@​mribbons, @​lukekarrys)

Dependencies

• b252164 #6626 @npmcli/package-json@4.0.0
• 9238682 #6623 sigstore@1.7.0 (#6623)
• Workspace: @npmcli/arborist@6.3.0
• Workspace: libnpmdiff@5.0.19
• Workspace: libnpmexec@6.0.2
• Workspace: libnpmfund@4.0.19
• Workspace: libnpmpack@5.0.19
• Workspace: libnpmpublish@7.5.0

9.7.2 (2023-06-21)

Bug Fixes

• 939a188 #6574 ignore node prereleases in npm engines check (#6574) (@​wraithgar)
• d980405 #6556 better color support detection (#6556) (@​lukekarrys)
• 40d7e09 #6555 remove unnecessary package.json values (#6555) (@​lukekarrys)
• 3a7378d #6554 cleanup bin contents (@​lukekarrys)
• e722439 #6497 move all definitions to @​npmcli/config package (@​lukekarrys)

Documentation

• 405ffbf #6557 remove redundant statement about files attribute (#6557) (@​DaviDevMod)
• cd1e6aa #6551 add flag package-lock-only for npm install (#6551) (@​m4rch3n1ng)

Dependencies

• aebc523 #6585 safe-buffer@5.2.1 string_decoder@1.3.0 (#6585)
• bb6054b #6573 tuf-js@1.1.7
• aee4a30 #6573 strip-ansi@7.1.0
• 6105dbc #6573 path-scurry@1.9.2
• 22d44e8 #6573 read-package-json@6.0.4
• fdd02fd #6573 jackspeak@2.2.1
• 7797075 #6573 is-core-module@2.12.1
• f9780cc #6573 sigstore@1.6.0
• 72d6a79 #6573 semver@7.5.2
• 98f1f5f #6573 nopt@7.2.0
• 8710ff8 #6573 pacote@15.2.0
• 0cb539d #6573 node-gyp@9.4.0
• 39ad586 #6573 ini@4.1.1
• 5e0070c #6573 glob@10.2.7 minimatch@9.0.1
• 26cf235 #6573 cacache@17.1.3

... (truncated)

Commits

• b1c3256 chore: release 9.8.0
• c61e037 fix: use new load/create syntax for package-json
• b252164 deps: @​npmcli/package-json@​4.0.0
• a2fa41e chore: normalize line endings and symlinks
• aef96c0 chore: release 9.7.2
• f5b9713 fix: make omit flags work properly with workspaces (#6549)
• 40d7e09 fix: remove unnecessary package.json values (#6555)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 16e6e5a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​pacote@​22.0.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @sigstore/tuf is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/pacote@22.0.0 → npm/@sigstore/tuf@5.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sigstore/tuf@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report