Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 6 commits
- 9 files changed
- 3 contributors
Commits on Feb 24, 2026
-
fix: skip registry key check for keyless (Sigstore/Fulcio) attestatio…
…ns (#454) fix: skip registry key check for keyless (Sigstore/Fulcio) attestations Attestations signed with keyless Sigstore/Fulcio have no keyid and embed the signing certificate directly in the bundle. The existing guard unconditionally required matching registry keys, causing EMISSINGSIGNATUREKEY for registries that only use keyless signing. Only throw when there are keyed attestations that can't be matched. ## References <!-- Examples: Related to #0 Depends on #0 Blocked by #0 Fixes #0 Closes #0 -->
-
fix: prevent path duplication in attestation URL for registries with … (
#452) fix: prevent path duplication in attestation URL for registries with path components When a custom registry URL includes a path (e.g. https://example.com/javascript), the attestation URL was incorrectly constructed by concatenating the full registry URL with the full pathname from the attestation URL, causing the path to be duplicated (e.g. /javascript/javascript/-/npm/v1/attestations/...). Use the URL constructor to correctly resolve the pathname against the registry origin, matching the existing pattern in lib/remote.js. ## References Fixes #450
-
feat: add allowRegistry option (#451)
This adds the last option needed to aggregate these in npm itself. Ref: npm/statusboard#1064
-
Update to newer promise-retry library (#449)
This will allow us to update `retry`. Ref: npm/statusboard#1065
-
chore: remove git config from tests (#456)
These were ending up in the project config, not the test fixture
-
🤖 I have created a release *beep* *boop* --- ## [21.4.0](v21.3.1...v21.4.0) (2026-02-24) ### Features * [`6912f24`](6912f24) [#451](#451) add allowRegistry option (#451) (@wraithgar) ### Bug Fixes * [`ab37bc1`](ab37bc1) [#452](#452) prevent path duplication in attestation URL for registries with … (#452) (@ajayk) * [`ab37bc1`](ab37bc1) [#452](#452) prevent path duplication in attestation URL for registries with (@ajayk) * [`8b8ea3b`](8b8ea3b) [#454](#454) skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@ajayk) * [`8b8ea3b`](8b8ea3b) [#454](#454) skip registry key check for keyless (Sigstore/Fulcio) attestations (@ajayk) ### Chores * [`0dfd1cd`](0dfd1cd) [#456](#456) remove git config from tests (#456) (@wraithgar) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v21.3.1...v21.4.0