release-it
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): release-it legitimately spreads process.env to filter and pass npm env vars to subprocesses. This is documented, intentional behavior — not credential capture or exfiltration. | ai | |
| provenance | no-provenance | AI (provenance): release-it is a long-established package; lack of Sigstore provenance is common and not a risk signal for this package. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 20.0.1 | 23 / 15 | |
| 20.0.0 | 23 / 15 | |
| 19.2.4 | 23 / 15 | |
| 19.2.3 | 23 / 15 | |
| 19.2.2 | 23 / 17 | |
| 19.2.1 | 23 / 17 | |
| 19.2.0 | 23 / 17 | |
| 19.1.0 | 23 / 17 | |
| 19.0.6 | 23 / 17 | |
| 19.0.5 | 23 / 17 | |
| 19.0.4 | 23 / 17 | |
| 19.0.3 | 24 / 17 | |
| 19.0.2 | 25 / 17 | |
| 19.0.1 | 25 / 17 | |
| 19.0.0 | 25 / 17 | |
| 18.1.2 | 25 / 24 | |
| 18.1.1 | 25 / 24 | |
| 18.1.0 | 25 / 24 | |
| 18.0.0 | 25 / 24 | |
| 17.11.0 | 24 / 24 | |
| 17.10.0 | 24 / 24 | |
| 17.9.0 | 24 / 24 | |
| 17.8.2 | 24 / 24 | |
| 17.8.1 | 24 / 24 | |
| 17.8.0 | 24 / 24 | |
| 17.7.0 | 24 / 24 | |
| 17.6.0 | 26 / 24 | |
| 17.5.0 | 26 / 24 | |
| 17.4.2 | 26 / 24 | |
| 17.4.1 | 26 / 24 | |
| 17.4.0 | 27 / 22 | |
| 17.3.0 | 27 / 18 | |
| 17.2.1 | 27 / 18 | |
| 16.1.5 | 27 / 17 |
v20.0.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/release-it/release-it/blob/bee31380a2bbdda7aeaffe7658a3900290a1a181/lib/util.js#L165 163 | // Remove npm_config_* variables set by others (e.g. pnpm) that npm warns about 164 | export const getNpmEnv = () => { > 165 | const env = { ...process.env }; 166 | const removeVars = new Set([ 167 | 'npm_config_npm_globalconfig',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.