@coveo/semantic-monorepo-tools Apache-2.0 17 versions

@coveo/semantic-monorepo-tools

npm Repository Homepage

A library of helper functions to do SemVer2 compliant releases from Conventional Commits in monorepos

17

Versions

Apache-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

aboissinotcoveo-organizationcoveoitolamothesssayeghylakhdarndlrnpmcoveopixhelmmitichenlegrossallainmsriouxtalao-coveooa-npmcoveo

Keywords

monoreposemantic-releaseciconventional-commitscdsemver

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Coveo org migrated to GitHub Actions CI publishing with SLSA attestation; this is the expected pattern for automated releases.	ai	2026/05/23
phantom-deps	phantom-dep:git-raw-commits	AI (phantom-deps): git-raw-commits is a declared runtime dep used via config/indirect import; phantom-dep is a false positive here.	ai	2026/05/23

Versions (showing 17 of 17)

Version	Deps	Published
2.7.1	6 / 21	2025-11-04
2.7.0	6 / 21	2025-10-17
2.6.19	6 / 21	2025-10-14
2.6.18	6 / 21	2025-10-10
2.6.17	6 / 21	2025-09-30
2.6.16	6 / 21	2025-09-23
2.6.15	6 / 21	2025-09-16
2.6.14	6 / 21	2025-08-19
2.6.13	6 / 21	2025-08-11
2.6.12	6 / 21	2025-07-29
2.6.11	6 / 21	2025-07-22
2.6.10	6 / 21	2025-07-08
2.6.9	6 / 21	2025-06-30
2.6.8	6 / 21	2025-06-23
2.6.7	6 / 21	2025-06-02
2.6.6	6 / 21	2025-05-27
2.6.5	6 / 21	2025-05-20

v2.7.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.0

2 findings

HIGH Publisher changed: pixhel → GitHub Actions (on 2025-10-17) provenance

This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.19

2 findings

HIGH Publisher changed: pixhel → GitHub Actions (on 2025-10-14) provenance

This version was published by a different npm account than previous versions on 2025-10-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.18

2 findings

HIGH Publisher changed: pixhel → GitHub Actions (on 2025-10-10) provenance

This version was published by a different npm account than previous versions on 2025-10-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.15

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.