@salesforce/plugin-release-management
A plugin for preparing and publishing npm packages
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:commit-and-tag-version | AI (dependencies): commit-and-tag-version is the established community fork of standard-version; legitimate replacement dep for this release tooling package. | ai | |
| phantom-deps | phantom-dep:standard-version | AI (phantom-deps): standard-version is a release tooling dependency invoked via config/scripts, not directly imported. Expected pattern for a release management plugin. | ai | |
| phantom-deps | phantom-dep:yarn-deduplicate | AI (phantom-deps): yarn-deduplicate is a CLI tool invoked via scripts, not imported as a module. Phantom dep finding is a false positive for this usage pattern. | ai | |
| phantom-deps | phantom-dep:commit-and-tag-version | AI (phantom-deps): commit-and-tag-version is a CLI tool invoked via scripts, not imported as a module. Phantom dep finding is a false positive for this usage pattern. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env spread is used to pass current environment to a child process for JIT installation testing — standard CLI tooling pattern, not credential exfiltration. | ai | |
| phantom-deps | phantom-dep:@salesforce/plugin-command-reference | AI (phantom-deps): Same-org Salesforce package used as an oclif devPlugin; phantom dep finding is not meaningful here. | ai | |
| phantom-deps | phantom-dep:@salesforce/cli-plugins-testkit | AI (phantom-deps): Same-org Salesforce package used as an oclif plugin dependency; phantom dep finding is not meaningful here. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to decode GitHub API file content responses, which are always base64-encoded by the GitHub API. Legitimate and expected pattern. | ai |
Versions (showing 51 of 132)
| Version | Deps | Published |
|---|---|---|
| 5.9.2 | 24 / 10 | |
| 5.9.1 | 24 / 10 | |
| 5.9.0 | 24 / 10 | |
| 5.8.32 | 24 / 10 | |
| 5.8.31 | 24 / 10 | |
| 5.8.30 | 24 / 10 | |
| 5.8.29 | 24 / 10 | |
| 5.8.28 | 24 / 10 | |
| 5.8.27 | 24 / 10 | |
| 5.8.25 | 24 / 10 | |
| 5.8.24 | 24 / 10 | |
| 5.8.23 | 24 / 10 | |
| 5.8.22 | 24 / 10 | |
| 5.8.21 | 24 / 10 | |
| 5.8.20 | 24 / 10 | |
| 5.8.19 | 24 / 10 | |
| 5.8.18 | 24 / 10 | |
| 5.8.17 | 24 / 10 | |
| 5.8.16 | 24 / 10 | |
| 5.8.15 | 24 / 10 | |
| 5.8.14 | 24 / 10 | |
| 5.8.13 | 24 / 10 | |
| 5.8.12 | 24 / 10 | |
| 5.8.11 | 24 / 10 | |
| 5.8.10 | 24 / 10 | |
| 5.8.9 | 24 / 10 | |
| 5.8.8 | 24 / 10 | |
| 5.8.7 | 24 / 10 | |
| 5.8.6 | 24 / 10 | |
| 5.8.5 | 24 / 10 | |
| 5.8.4 | 24 / 10 | |
| 5.8.3 | 24 / 10 | |
| 5.8.2 | 24 / 10 | |
| 5.8.1 | 24 / 10 | |
| 5.8.0 | 24 / 10 | |
| 5.7.115 | 24 / 10 | |
| 5.7.114 | 24 / 10 | |
| 5.7.113 | 24 / 10 | |
| 5.7.112 | 24 / 10 | |
| 5.7.111 | 24 / 10 | |
| 5.7.110 | 24 / 10 | |
| 5.7.109 | 24 / 10 | |
| 5.7.108 | 24 / 10 | |
| 5.7.107 | 24 / 10 | |
| 5.7.106 | 24 / 10 | |
| 5.7.105 | 24 / 10 | |
| 5.7.104 | 24 / 10 | |
| 5.7.103 | 24 / 10 | |
| 5.7.102 | 24 / 10 | |
| 5.7.101 | 24 / 10 | |
| 5.7.100 | 24 / 10 |
v5.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.13
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/salesforcecli/plugin-release-management/blob/7b8f1e6b886725ef2ddc24dbc8df16cb3358f052/lib/jit.js#L100 98 | // However, this is okay because all we need to verify is that running the command will trigger the JIT inst 99 | const { stdout, stderr } = await exec(`${executable} ${firstCommand.id}`, { > 100 | env: { 101 | ...process.env, 102 | SF_DATA_DIR: dataDir,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.115
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.113
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.112
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.