@changesets/cli — Greenflagged

Organise your package versioning and publishing to make both contributors and maintainers happy

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

novinychangesets-release-botemmatownandarist

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): All dynamic-require findings are in test files, used to read back written JSON fixtures for assertion. Not production code; no arbitrary module loading risk.	ai	2026/04/24
phantom-deps	phantom-dep:spawndamnit	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:get-workspaces	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@changesets/git	AI (phantom-deps): Same-org scoped package loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:meow	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:uuid	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:boxen	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:chalk	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:is-ci	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:semver	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:outdent	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:p-limit	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:pkg-dir	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:enquirer	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:fs-extra	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:prettier	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:term-size	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:tty-table	AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/uuid	AI (phantom-deps): Framework-scoped type package loaded by convention; stable pattern for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@changesets/pre	AI (phantom-deps): Same-org scoped package in monorepo; phantom dependency pattern is expected and stable.	ai	2026/04/24
phantom-deps	phantom-dep:lodash.startcase	AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools.	ai	2026/04/24
phantom-deps	phantom-dep:globby	AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools.	ai	2026/04/24
phantom-deps	phantom-dep:detect-indent	AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools.	ai	2026/04/24
phantom-deps	phantom-dep:fuzzy	AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools.	ai	2026/04/24
phantom-deps	phantom-dep:cli-table	AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools.	ai	2026/04/24
typosquat	typosquat.levenshtein:joi	AI (typosquat): @changesets/cli is a well-known scoped package with no relation to 'joi'; the Levenshtein match is a false positive driven by the short length of 'joi' vs. the full scoped name.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker for established packages with strong publisher track records.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): ansi-colors is a well-known, benign terminal color utility; its addition is consistent with CLI tooling and poses no supply chain risk.	ai	2026/04/24
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Framework-scoped runtime dep loaded by Babel transpilation; not directly imported but legitimately used.	ai	2026/04/24
phantom-deps	phantom-dep:@types/is-ci	AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention.	ai	2026/04/24
phantom-deps	phantom-dep:@types/semver	AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention.	ai	2026/04/24
phantom-deps	phantom-dep:human-id	AI (phantom-deps): Referenced in config files for changeset ID generation; legitimate use pattern for this package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): @changesets/cli is a well-known monorepo sub-package; sparse README and missing keywords are expected for scoped packages that defer to the main repo docs. Not a spam/bogus package.	ai	2026/04/23
dependencies	unvetted-dep:term-size	AI (dependencies): term-size is a legitimate Sindre Sorhus package for terminal size detection; its use in a CLI tool is expected and appropriate.	ai	2026/04/23

Versions (showing 27 of 27)

Show 5 prereleases

Version	Deps	Published
2.30.0	26 / 6	2026-03-03
2.29.6	28 / 6	2025-08-16
2.27.7	32 / 3	2024-07-01
2.27.5	33 / 3	2024-05-28
2.27.2	32 / 3	2024-05-17
2.27.1	32 / 3	2023-11-28
2.25.2	33 / 4	2022-10-31
2.23.2	33 / 4	2022-07-13
2.19.0	31 / 4	2021-12-18
2.17.0	30 / 4	2021-08-31
2.10.0	30 / 4	2020-08-10
2.7.1	28 / 4	2020-05-12
2.4.0	28 / 5	2019-11-07
2.3.1	34 / 5	2019-11-04
2.1.0	31 / 3	2019-10-15
2.0.1	33 / 3	2019-09-13
2.0.0	33 / 3	2019-09-13
1.3.0	26 / 2	2019-07-05
1.2.0	24 / 2	2019-06-07
1.1.5	25 / 1	2019-06-02
1.1.4	23 / 1	2019-05-31
1.1.3	21 / 1	2019-05-21
1.1.2	21 / 1	2019-05-21
1.1.1	21 / 1	2019-05-08
1.1.0	20 / 1	2019-05-07
1.0.1	20 / 1	2019-05-06
1.0.0	20 / 1	2019-05-06

v2.30.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.29.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.27.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.27.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.27.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.27.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.25.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.23.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.17.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.10.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.