deps: bump pacote from 15.2.0 to 21.5.0 in /cli

[dependabot]

Bumps pacote from 15.2.0 to 21.5.0.

Release notes

Sourced from pacote's releases.

v21.5.0

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

v21.4.0

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

• ab37bc1 #452 prevent path duplication in attestation URL for registries with … (#452) (@​ajayk)
• ab37bc1 #452 prevent path duplication in attestation URL for registries with (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@​ajayk)

Chores

• 0dfd1cd #456 remove git config from tests (#456) (@​wraithgar)

v21.3.1

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

v21.3.0

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

v21.2.0

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

v21.1.0

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

v21.0.4

21.0.4 (2025-11-13)

Dependencies

• edbcc02 #436 proc-log@6.0.0
• 8dc1f22 #436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #436 ssri@13.0.0

... (truncated)

Changelog

Sourced from pacote's changelog.

21.5.0 (2026-03-09)

Features

• d912f17 #457 expose fetched attestation bundles on manifest (#457) (@​mitchdenny)

Chores

• 586a55d #471 template-oss-apply for new macos images (#471) (@​wraithgar)
• d1cc5c8 #460 template-oss-apply for release branches (#460) (@​wraithgar)
• b741e8b #468 bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@​dependabot[bot], @​npm-cli-bot)

21.4.0 (2026-02-24)

Features

• 6912f24 #451 add allowRegistry option (#451) (@​wraithgar)

Bug Fixes

• ab37bc1 #452 prevent path duplication in attestation URL for registries with … (#452) (@​ajayk)
• ab37bc1 #452 prevent path duplication in attestation URL for registries with (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (#454) (@​ajayk)
• 8b8ea3b #454 skip registry key check for keyless (Sigstore/Fulcio) attestations (@​ajayk)

Chores

• 0dfd1cd #456 remove git config from tests (#456) (@​wraithgar)

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

21.0.4 (2025-11-13)

Dependencies

• edbcc02 #436 proc-log@6.0.0
• 8dc1f22 #436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #436 ssri@13.0.0
• a23fb17 #436 @npmcli/promise-spawn@9.0.0

Chores

• ff261aa #436 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 2bba862 #436 @npmcli/template-oss@4.28.0 (@​wraithgar)

21.0.3 (2025-09-17)

Dependencies

... (truncated)

Commits

• 6c2555a chore: release 21.5.0 (#470)
• 586a55d chore: template-oss-apply for new macos images (#471)
• d912f17 feat: expose fetched attestation bundles on manifest (#457)
• b741e8b chore: bump @​npmcli/template-oss from 4.28.0 to 4.29.0 (#468)
• d1cc5c8 chore: template-oss-apply for release branches (#460)
• e3871d8 chore: release 21.4.0 (#455)
• 0dfd1cd chore: remove git config from tests (#456)
• bfe6f23 Update to newer promise-retry library (#449)
• 6912f24 feat: add allowRegistry option (#451)
• ab37bc1 fix: prevent path duplication in attestation URL for registries with … (#452)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for pacote since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: Dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.