Download Latest Version v1.0.0-beta.4 source code.tar.gz (3.0 MB)
Email in envelope

Get an email when there's a new version of DaloyJS

Home / v0.39.1
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-06-17 1.0 kB
v0.39.1 source code.tar.gz 2026-06-17 2.7 MB
v0.39.1 source code.zip 2026-06-17 3.4 MB
Totals: 3 Items   6.1 MB 0

@daloyjs/core has no runtime changes; this is a lockstep re-release whose only purpose is to ship the JSR package @daloyjs/daloy with a Sigstore provenance attestation.

Security

  • The JSR build now ships with a provenance attestation. @daloyjs/daloy@0.39.0 published to JSR but without provenance: the publish-jsr CI job's hardened egress allowlist was missing the Sigstore hosts (fulcio.sigstore.dev, rekor.sigstore.dev, tuf-repo-cdn.sigstore.dev), so jsr publish created the version and then failed attaching its attestation. The allowlist is fixed, so 0.39.1 is published to JSR with verifiable provenance — matching the npm packages, which already shipped 0.39.0 with an SLSA provenance attestation.

create-daloy is a lockstep 0.39.1 bump: every template now pins @daloyjs/core@^0.39.1 (jsr:@daloyjs/daloy@^0.39.1 for the Deno template).

Full changelog: https://github.com/daloyjs/daloy/compare/v0.39.0...v0.39.1

Source: README.md, updated 2026-06-17