@grafana/create-plugin 7.7.0-canary.2656.26454058960.0 → 7.7.0

package/CHANGELOG.md

@@ -1,3 +1,27 @@
+# v7.7.0 (Fri May 29 2026)
+
+#### 🚀 Enhancement
+
+- feat: replace insecure sign script [#2656](https://github.com/grafana/plugin-tools/pull/2656) ([@jackw](https://github.com/jackw))
+
+#### Authors: 1
+
+- Jack Westbrook ([@jackw](https://github.com/jackw))
+
+---
+
+# v7.6.2 (Wed May 27 2026)
+
+#### 🐛 Bug Fix
+
+- fix: pin dependencies for better security [#2658](https://github.com/grafana/plugin-tools/pull/2658) ([@jackw](https://github.com/jackw))
+
+#### Authors: 1
+
+- Jack Westbrook ([@jackw](https://github.com/jackw))
+
+---
+
 # v7.6.1 (Tue May 26 2026)
 
 #### 🐛 Bug Fix

package/dist/codemods/migrations/migrations.js

@@ -63,7 +63,7 @@ var defaultMigrations = [
   },
   {
     name: "011-secure-sign-script",
-    version: "7.6.2",
+    version: "7.6.3",
     description: "Security: replace insecure inline `npx --yes @grafana/sign-plugin@latest` sign script with a locked @grafana/sign-plugin devDependency to prevent arbitrary code execution from a compromised @latest publish.",
     scriptPath: import.meta.resolve("./scripts/011-secure-sign-script.js")
   }

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@grafana/create-plugin",
-  "version": "7.7.0-canary.2656.26454058960.0",
+  "version": "7.7.0",
   "repository": {
+    "type": "git",
     "directory": "packages/create-plugin",
     "url": "https://github.com/grafana/plugin-tools"
   },
@@ -25,35 +26,35 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@babel/parser": "^7.28.5",
-    "@ivanmaxlogiudice/gitignore": "^0.0.2",
-    "change-case": "^5.4.0",
-    "debug": "^4.3.4",
-    "enquirer": "^2.4.1",
-    "find-up": "^8.0.0",
-    "glob": "^13.0.0",
-    "handlebars": "^4.7.8",
-    "jsonc-parser": "^3.3.1",
-    "minimist": "^1.2.8",
-    "recast": "^0.23.11",
-    "semver": "^7.3.5",
-    "title-case": "^4.3.0",
-    "valibot": "^1.2.0",
-    "which": "^6.0.0",
-    "yaml": "^2.7.0"
+    "@babel/parser": "7.29.0",
+    "@ivanmaxlogiudice/gitignore": "0.0.2",
+    "change-case": "5.4.4",
+    "debug": "4.4.3",
+    "enquirer": "2.4.1",
+    "find-up": "8.0.0",
+    "glob": "13.0.6",
+    "handlebars": "4.7.9",
+    "jsonc-parser": "3.3.1",
+    "minimist": "1.2.8",
+    "recast": "0.23.11",
+    "semver": "7.7.2",
+    "title-case": "4.3.2",
+    "valibot": "1.2.0",
+    "which": "6.0.1",
+    "yaml": "2.9.0"
   },
   "devDependencies": {
-    "@libs/output": "^1.0.3",
-    "@libs/version": "^1.0.2",
-    "@types/glob": "^9.0.0",
-    "@types/minimist": "^1.2.5",
-    "@types/semver": "^7.7.1",
-    "@types/tmp": "^0.2.6",
-    "@types/which": "^3.0.4",
-    "tmp": "^0.2.5"
+    "@libs/output": "1.0.3",
+    "@libs/version": "1.0.2",
+    "@types/glob": "9.0.0",
+    "@types/minimist": "1.2.5",
+    "@types/semver": "7.7.1",
+    "@types/tmp": "0.2.6",
+    "@types/which": "3.0.4",
+    "tmp": "0.2.5"
   },
   "engines": {
     "node": ">=20"
   },
-  "gitHead": "9f2c76337454a475c2d4769c1fa76b1d2019ad0a"
+  "gitHead": "57e7611bcbbd068694bda70df57fa86008dd3353"
 }

package/src/codemods/migrations/migrations.ts

@@ -73,7 +73,7 @@ export default [
   },
   {
     name: '011-secure-sign-script',
-    version: '7.6.2',
+    version: '7.6.3',
     description:
       'Security: replace insecure inline `npx --yes @grafana/sign-plugin@latest` sign script with a locked @grafana/sign-plugin devDependency to prevent arbitrary code execution from a compromised @latest publish.',
     scriptPath: import.meta.resolve('./scripts/011-secure-sign-script.js'),