npm · wraithgar · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024
@@ -328,6 +328,8 @@ graph LR;
   init-package-json-->semver;
   init-package-json-->validate-npm-package-license;
   init-package-json-->validate-npm-package-name;
+  ip-address-->jsbn;
+  ip-address-->sprintf-js;
   is-cidr-->cidr-regex;
   is-core-module-->hasown;
   isaacs-cliui-->string-width-cjs;
@@ -771,7 +773,7 @@ graph LR;
   sigstore-verify-->sigstore-bundle["@sigstore/bundle"];
   sigstore-verify-->sigstore-core["@sigstore/core"];
   sigstore-verify-->sigstore-protobuf-specs["@sigstore/protobuf-specs"];
-  socks-->ip;
+  socks-->ip-address;
   socks-->smart-buffer;
   socks-proxy-agent-->agent-base;
   socks-proxy-agent-->debug;

@@ -114,14 +114,18 @@
 !/indent-string
 !/ini
 !/init-package-json
+!/ip-address
+!/ip-address/node_modules/
+/ip-address/node_modules/*
+!/ip-address/node_modules/sprintf-js
 !/ip-regex
-!/ip
 !/is-cidr
 !/is-core-module
 !/is-fullwidth-code-point
 !/is-lambda
 !/isexe
 !/jackspeak
+!/jsbn
 !/json-parse-even-better-errors
 !/json-stringify-nice
 !/jsonparse

@@ -62,7 +62,7 @@ module.exports = class Agent extends AgentBase {
 
     let ProxyAgent = this.#ProxyAgent
     if (Array.isArray(ProxyAgent)) {
-      ProxyAgent = options.secureEndpoint ? ProxyAgent[1] : ProxyAgent[0]
+      ProxyAgent = this.isSecureEndpoint(options) ? ProxyAgent[1] : ProxyAgent[0]
     }
 
     const proxyAgent = new ProxyAgent(proxy, this.#options)
@@ -106,6 +106,7 @@ module.exports = class Agent extends AgentBase {
 
     let socket
     let timeout = this.#timeouts.connection
+    const isSecureEndpoint = this.isSecureEndpoint(options)
 
     const proxy = this.#getProxy(options)
     if (proxy) {
@@ -124,7 +125,7 @@ module.exports = class Agent extends AgentBase {
         timeout = timeout - (Date.now() - start)
       }
     } else {
-      socket = (options.secureEndpoint ? tls : net).connect(options)
+      socket = (isSecureEndpoint ? tls : net).connect(options)
     }
 
     socket.setKeepAlive(this.keepAlive, this.keepAliveMsecs)
@@ -133,8 +134,8 @@ module.exports = class Agent extends AgentBase {
     const abortController = new AbortController()
     const { signal } = abortController
 
-    const connectPromise = socket[options.secureEndpoint ? 'secureConnecting' : 'connecting']
-      ? once(socket, options.secureEndpoint ? 'secureConnect' : 'connect', { signal })
+    const connectPromise = socket[isSecureEndpoint ? 'secureConnecting' : 'connecting']
+      ? once(socket, isSecureEndpoint ? 'secureConnect' : 'connect', { signal })
       : Promise.resolve()
 
     await this.#timeoutConnection({

@@ -1,12 +1,12 @@
 {
   "name": "@npmcli/agent",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "description": "the http/https agent used by the npm cli",
   "main": "lib/index.js",
   "scripts": {
     "gencerts": "bash scripts/create-cert.sh",
     "test": "tap",
-    "lint": "eslint \"**/*.js\"",
+    "lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
     "postlint": "template-oss-check",
     "template-oss-apply": "template-oss-apply --force",
     "lintfix": "npm run lint -- --fix",
@@ -28,7 +28,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.19.0",
+    "version": "4.21.3",
     "publish": "true"
   },
   "dependencies": {
@@ -40,7 +40,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.19.0",
+    "@npmcli/template-oss": "4.21.3",
     "minipass-fetch": "^3.0.3",
     "nock": "^13.2.7",
     "semver": "^7.5.4",

@@ -1,8 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
+exports.isBundleWithDsseEnvelope = exports.isBundleWithMessageSignature = exports.isBundleWithPublicKey = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = void 0;
 exports.BUNDLE_V01_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1';
 exports.BUNDLE_V02_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.2';
+exports.BUNDLE_V03_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.3';
 // Type guards for bundle variants.
 function isBundleWithCertificateChain(b) {
     return b.verificationMaterial.content.$case === 'x509CertificateChain';

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isBundleV01 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
+exports.isBundleV01 = exports.assertBundleV02 = exports.assertBundleV01 = exports.assertBundleLatest = exports.assertBundle = exports.envelopeToJSON = exports.envelopeFromJSON = exports.bundleToJSON = exports.bundleFromJSON = exports.ValidationError = exports.isBundleWithPublicKey = exports.isBundleWithMessageSignature = exports.isBundleWithDsseEnvelope = exports.isBundleWithCertificateChain = exports.BUNDLE_V03_MEDIA_TYPE = exports.BUNDLE_V02_MEDIA_TYPE = exports.BUNDLE_V01_MEDIA_TYPE = exports.toMessageSignatureBundle = exports.toDSSEBundle = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -22,6 +22,7 @@ Object.defineProperty(exports, "toMessageSignatureBundle", { enumerable: true, g
 var bundle_1 = require("./bundle");
 Object.defineProperty(exports, "BUNDLE_V01_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V01_MEDIA_TYPE; } });
 Object.defineProperty(exports, "BUNDLE_V02_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V02_MEDIA_TYPE; } });
+Object.defineProperty(exports, "BUNDLE_V03_MEDIA_TYPE", { enumerable: true, get: function () { return bundle_1.BUNDLE_V03_MEDIA_TYPE; } });
 Object.defineProperty(exports, "isBundleWithCertificateChain", { enumerable: true, get: function () { return bundle_1.isBundleWithCertificateChain; } });
 Object.defineProperty(exports, "isBundleWithDsseEnvelope", { enumerable: true, get: function () { return bundle_1.isBundleWithDsseEnvelope; } });
 Object.defineProperty(exports, "isBundleWithMessageSignature", { enumerable: true, get: function () { return bundle_1.isBundleWithMessageSignature; } });
@@ -37,4 +38,5 @@ var validate_1 = require("./validate");
 Object.defineProperty(exports, "assertBundle", { enumerable: true, get: function () { return validate_1.assertBundle; } });
 Object.defineProperty(exports, "assertBundleLatest", { enumerable: true, get: function () { return validate_1.assertBundleLatest; } });
 Object.defineProperty(exports, "assertBundleV01", { enumerable: true, get: function () { return validate_1.assertBundleV01; } });
+Object.defineProperty(exports, "assertBundleV02", { enumerable: true, get: function () { return validate_1.assertBundleV02; } });
 Object.defineProperty(exports, "isBundleV01", { enumerable: true, get: function () { return validate_1.isBundleV01; } });
@@ -21,12 +21,16 @@ const bundle_1 = require("./bundle");
 const validate_1 = require("./validate");
 const bundleFromJSON = (obj) => {
     const bundle = protobuf_specs_1.Bundle.fromJSON(obj);
-    (0, validate_1.assertBundle)(bundle);
-    if (bundle.mediaType === bundle_1.BUNDLE_V01_MEDIA_TYPE) {
-        (0, validate_1.assertBundleV01)(bundle);
-    }
-    else {
-        (0, validate_1.assertBundleLatest)(bundle);
+    switch (bundle.mediaType) {
+        case bundle_1.BUNDLE_V01_MEDIA_TYPE:
+            (0, validate_1.assertBundleV01)(bundle);
+            break;
+        case bundle_1.BUNDLE_V02_MEDIA_TYPE:
+            (0, validate_1.assertBundleV02)(bundle);
+            break;
+        default:
+            (0, validate_1.assertBundleLatest)(bundle);
+            break;
     }
     return bundle;
 };

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assertBundleLatest = exports.isBundleV01 = exports.assertBundleV01 = exports.assertBundle = void 0;
+exports.assertBundleLatest = exports.assertBundleV02 = exports.isBundleV01 = exports.assertBundleV01 = exports.assertBundle = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -16,13 +16,61 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-const bundle_1 = require("./bundle");
 const error_1 = require("./error");
 // Performs basic validation of a Sigstore bundle to ensure that all required
 // fields are populated. This is not a complete validation of the bundle, but
 // rather a check that the bundle is in a valid state to be processed by the
 // rest of the code.
 function assertBundle(b) {
+    const invalidValues = validateBundleBase(b);
+    if (invalidValues.length > 0) {
+        throw new error_1.ValidationError('invalid bundle', invalidValues);
+    }
+}
+exports.assertBundle = assertBundle;
+// Asserts that the given bundle conforms to the v0.1 bundle format.
+function assertBundleV01(b) {
+    const invalidValues = [];
+    invalidValues.push(...validateBundleBase(b));
+    invalidValues.push(...validateInclusionPromise(b));
+    if (invalidValues.length > 0) {
+        throw new error_1.ValidationError('invalid v0.1 bundle', invalidValues);
+    }
+}
+exports.assertBundleV01 = assertBundleV01;
+// Type guard to determine if Bundle is a v0.1 bundle.
+function isBundleV01(b) {
+    try {
+        assertBundleV01(b);
+        return true;
+    }
+    catch (e) {
+        return false;
+    }
+}
+exports.isBundleV01 = isBundleV01;
+// Asserts that the given bundle conforms to the v0.2 bundle format.
+function assertBundleV02(b) {
+    const invalidValues = [];
+    invalidValues.push(...validateBundleBase(b));
+    invalidValues.push(...validateInclusionProof(b));
+    if (invalidValues.length > 0) {
+        throw new error_1.ValidationError('invalid v0.2 bundle', invalidValues);
+    }
+}
+exports.assertBundleV02 = assertBundleV02;
+// Asserts that the given bundle conforms to the newest (0.3) bundle format.
+function assertBundleLatest(b) {
+    const invalidValues = [];
+    invalidValues.push(...validateBundleBase(b));
+    invalidValues.push(...validateInclusionProof(b));
+    invalidValues.push(...validateNoCertificateChain(b));
+    if (invalidValues.length > 0) {
+        throw new error_1.ValidationError('invalid bundle', invalidValues);
+    }
+}
+exports.assertBundleLatest = assertBundleLatest;
+function validateBundleBase(b) {
     const invalidValues = [];
     // Media type validation
     if (b.mediaType === undefined ||
@@ -84,6 +132,11 @@ function assertBundle(b) {
                         }
                     });
                     break;
+                case 'certificate':
+                    if (b.verificationMaterial.content.certificate.rawBytes.length === 0) {
+                        invalidValues.push('verificationMaterial.content.certificate.rawBytes');
+                    }
+                    break;
             }
         }
         if (b.verificationMaterial.tlogEntries === undefined) {
@@ -102,17 +155,11 @@ function assertBundle(b) {
             }
         }
     }
-    if (invalidValues.length > 0) {
-        throw new error_1.ValidationError('invalid bundle', invalidValues);
-    }
+    return invalidValues;
 }
-exports.assertBundle = assertBundle;
-// Asserts that the given bundle conforms to the v0.1 bundle format.
-function assertBundleV01(b) {
+// Necessary for V01 bundles
+function validateInclusionPromise(b) {
     const invalidValues = [];
-    if (b.mediaType && b.mediaType !== bundle_1.BUNDLE_V01_MEDIA_TYPE) {
-        invalidValues.push('mediaType');
-    }
     if (b.verificationMaterial &&
         b.verificationMaterial.tlogEntries?.length > 0) {
         b.verificationMaterial.tlogEntries.forEach((entry, i) => {
@@ -121,24 +168,10 @@ function assertBundleV01(b) {
             }
         });
     }
-    if (invalidValues.length > 0) {
-        throw new error_1.ValidationError('invalid v0.1 bundle', invalidValues);
-    }
+    return invalidValues;
 }
-exports.assertBundleV01 = assertBundleV01;
-// Type guard to determine if Bundle is a v0.1 bundle.
-function isBundleV01(b) {
-    try {
-        assertBundleV01(b);
-        return true;
-    }
-    catch (e) {
-        return false;
-    }
-}
-exports.isBundleV01 = isBundleV01;
-// Asserts that the given bundle conforms to the newest (0.2) bundle format.
-function assertBundleLatest(b) {
+// Necessary for V02 and later bundles
+function validateInclusionProof(b) {
     const invalidValues = [];
     if (b.verificationMaterial &&
         b.verificationMaterial.tlogEntries?.length > 0) {
@@ -153,8 +186,13 @@ function assertBundleLatest(b) {
             }
         });
     }
-    if (invalidValues.length > 0) {
-        throw new error_1.ValidationError('invalid v0.2 bundle', invalidValues);
+    return invalidValues;
+}
+// Necessary for V03 and later bundles
+function validateNoCertificateChain(b) {
+    const invalidValues = [];
+    if (b.verificationMaterial?.content?.$case === 'x509CertificateChain') {
+        invalidValues.push('verificationMaterial.content.$case');
     }
+    return invalidValues;
 }
-exports.assertBundleLatest = assertBundleLatest;
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/bundle",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Sigstore bundle type",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,7 +27,7 @@
     "provenance": true
   },
   "dependencies": {
-    "@sigstore/protobuf-specs": "^0.2.1"
+    "@sigstore/protobuf-specs": "^0.3.0"
   },
   "engines": {
     "node": "^16.14.0 || >=18.0.0"