conventional-changelog-cli
Generate a changelog from git metadata.
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
bcoeoss-botstevemaotapppi
Keywords
clicli-appconventional-changelogconventionalchangeloglog
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Major version bump (4.x → 5.0.0) with dependency upgrades explains the dormancy gap; consistent with planned release by the conventional-changelog org bot. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load a user-supplied context file via --context CLI flag. This is intentional CLI behavior; the user controls the path, so there is no supply-chain or privilege escalation risk. | ai | |
| dependencies | unvetted-dep:conventional-changelog | AI (dependencies): conventional-changelog is the core library this CLI wraps; it's a well-established package in the same monorepo and ecosystem. Not a risk signal for this package. | ai | |
| dependencies | unvetted-dep:add-stream | AI (dependencies): add-stream is a small, long-standing utility package used legitimately by this CLI. No risk signal. | ai | |
| dependencies | unvetted-dep:tempfile | AI (dependencies): tempfile is a well-known sindresorhus utility package used legitimately for temp file creation. No risk signal for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the legitimate initial placeholder release for this well-established package by a reputable publisher with 10+ years of history. Not a malicious throwaway. | ai | |
| provenance | no-provenance | AI (provenance): Established package from the conventional-changelog monorepo; lack of provenance is common and not a risk signal here. | ai |
Versions (showing 51 of 67)
| Version | Deps | Published |
|---|---|---|
| 5.0.0 | 4 / 0 | |
| 4.1.0 | 4 / 0 | |
| 4.0.0 | 4 / 0 | |
| 3.0.0 | 4 / 0 | |
| 2.2.2 | 5 / 0 | |
| 2.1.1 | 5 / 0 | |
| 2.1.0 | 5 / 0 | |
| 2.0.35 | 5 / 0 | |
| 2.0.34 | 5 / 0 | |
| 2.0.33 | 5 / 0 | |
| 2.0.32 | 5 / 0 | |
| 2.0.31 | 5 / 0 | |
| 2.0.30 | 5 / 0 | |
| 2.0.29 | 5 / 0 | |
| 2.0.28 | 5 / 0 | |
| 2.0.27 | 5 / 0 | |
| 2.0.26 | 5 / 0 | |
| 2.0.25 | 5 / 0 | |
| 2.0.23 | 5 / 0 | |
| 2.0.22 | 5 / 0 | |
| 2.0.21 | 5 / 0 | |
| 2.0.20 | 5 / 0 | |
| 2.0.19 | 5 / 0 | |
| 2.0.18 | 5 / 0 | |
| 2.0.17 | 5 / 0 | |
| 2.0.16 | 5 / 0 | |
| 2.0.15 | 5 / 0 | |
| 2.0.14 | 5 / 0 | |
| 2.0.12 | 5 / 0 | |
| 2.0.11 | 5 / 0 | |
| 2.0.10 | 5 / 0 | |
| 2.0.9 | 5 / 0 | |
| 2.0.8 | 5 / 0 | |
| 2.0.7 | 5 / 0 | |
| 2.0.5 | 5 / 3 | |
| 2.0.4 | 5 / 3 | |
| 2.0.3 | 5 / 3 | |
| 2.0.2 | 5 / 3 | |
| 2.0.1 | 5 / 3 | |
| 2.0.0 | 5 / 3 | |
| 1.3.22 | 5 / 3 | |
| 1.3.21 | 5 / 3 | |
| 1.3.20 | 5 / 3 | |
| 1.3.19 | 5 / 3 | |
| 1.3.18 | 5 / 3 | |
| 1.3.17 | 5 / 3 | |
| 1.3.16 | 5 / 3 | |
| 1.3.15 | 5 / 3 | |
| 1.3.14 | 5 / 7 | |
| 1.3.13 | 5 / 7 | |
| 1.3.12 | 5 / 7 |