| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-06-17 | 1.0 kB | |
| v0.39.1 source code.tar.gz | 2026-06-17 | 2.7 MB | |
| v0.39.1 source code.zip | 2026-06-17 | 3.4 MB | |
| Totals: 3 Items | 6.1 MB | 0 | |
@daloyjs/core has no runtime changes; this is a lockstep re-release whose only
purpose is to ship the JSR package @daloyjs/daloy
with a Sigstore provenance attestation.
Security
- The JSR build now ships with a provenance attestation.
@daloyjs/daloy@0.39.0published to JSR but without provenance: thepublish-jsrCI job's hardened egress allowlist was missing the Sigstore hosts (fulcio.sigstore.dev,rekor.sigstore.dev,tuf-repo-cdn.sigstore.dev), sojsr publishcreated the version and then failed attaching its attestation. The allowlist is fixed, so0.39.1is published to JSR with verifiable provenance — matching the npm packages, which already shipped0.39.0with an SLSA provenance attestation.
create-daloy is a lockstep 0.39.1 bump: every template now pins
@daloyjs/core@^0.39.1 (jsr:@daloyjs/daloy@^0.39.1 for the Deno template).
Full changelog: https://github.com/daloyjs/daloy/compare/v0.39.0...v0.39.1