chore(deps): bump pacote from 21.0.4 to 21.5.0

[dependabot]

Bumps pacote from 21.0.4 to 21.5.0.

Release notes

Sourced from pacote's releases.

v21.5.0

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

v21.4.0

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

• ab37bc1 #452 prevent path duplication in attestation URL for registries with … (#452) (@​ajayk)
• ab37bc1 #452 prevent path duplication in attestation URL for registries with (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@​ajayk)

Chores

• 0dfd1cd #456 remove git config from tests (#456) (@​wraithgar)

v21.3.1

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

v21.3.0

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

v21.2.0

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

v21.1.0

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

Changelog

Sourced from pacote's changelog.

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

• ab37bc1 #452 prevent path duplication in attestation URL for registries with … (#452) (@​ajayk)
• ab37bc1 #452 prevent path duplication in attestation URL for registries with (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@​ajayk)

Chores

• 0dfd1cd #456 remove git config from tests (#456) (@​wraithgar)

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

Commits

• 6c2555a chore: release 21.5.0 (#470)
• 586a55d chore: template-oss-apply for new macos images (#471)
• d912f17 feat: expose fetched attestation bundles on manifest (#457)
• b741e8b chore: bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468)
• d1cc5c8 chore: template-oss-apply for release branches (#460)
• e3871d8 chore: release 21.4.0 (#455)
• 0dfd1cd chore: remove git config from tests (#456)
• bfe6f23 Update to newer promise-retry library (#449)
• 6912f24 feat: add allowRegistry option (#451)
• ab37bc1 fix: prevent path duplication in attestation URL for registries with … (#452)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.