semantic-release
Automated semver compliant package publishing
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): pvdlg removal is a historical cleanup; package published via GitHub Actions with SLSA provenance, no takeover indicators. | ai | |
| phantom-deps | phantom-dep:aggregate-error | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:hosted-git-info | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:import-from-esm | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:marked-terminal | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:read-package-up | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:@semantic-release/error | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop likely reflects ESM refactoring/bundling changes, not code removal; no malicious indicators. | ai | |
| phantom-deps | phantom-dep:env-ci | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:figures | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:hook-std | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:p-reduce | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:get-stream | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:micromatch | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:cosmiconfig | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:resolve-from | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:p-each-series | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| phantom-deps | phantom-dep:git-log-parser | AI (phantom-deps): ESM package uses dynamic imports; deps are legitimately used at runtime. | ai | |
| provenance | publisher-changed | AI (provenance): semantic-release migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation; this publisher change is legitimate and verifiable for this package. | ai | |
| dependencies | unvetted-dep:figures | AI (dependencies): figures is a well-known sindresorhus terminal symbols utility; a legitimate, benign dependency for semantic-release's CLI output. | ai | |
| phantom-deps | phantom-dep:@semantic-release/commit-analyzer | AI (phantom-deps): Default plugin loaded dynamically at runtime. Stable false positive for this plugin-based architecture. | ai | |
| phantom-deps | phantom-dep:@semantic-release/npm | AI (phantom-deps): Default plugin loaded dynamically at runtime via resolve-from/import-from-esm; static import analysis cannot detect this pattern. Stable false positive for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): semantic-release is CI/CD tooling that intentionally propagates process.env to child git processes. This is expected behavior, not a vulnerability, and is stable across all versions. | ai | |
| phantom-deps | phantom-dep:@semantic-release/release-notes-generator | AI (phantom-deps): Default plugin loaded dynamically at runtime. Stable false positive for this plugin-based architecture. | ai | |
| phantom-deps | phantom-dep:@semantic-release/github | AI (phantom-deps): Default plugin loaded dynamically at runtime. Same pattern as @semantic-release/npm — stable false positive. | ai |
Versions (showing 100 of 337)
| Version | Deps | Published |
|---|---|---|
| 25.0.5 | 28 / 23 | |
| 25.0.4 | 28 / 23 | |
| 25.0.3 | 28 / 23 | |
| 25.0.2 | 29 / 23 | |
| 25.0.1 | 29 / 23 | |
| 25.0.0 | 29 / 23 | |
| 24.2.9 | 29 / 23 | |
| 24.2.8 | 29 / 23 | |
| 24.2.7 | 29 / 23 | |
| 24.2.6 | 29 / 23 | |
| 24.2.5 | 29 / 23 | |
| 24.2.4 | 29 / 23 | |
| 24.2.3 | 29 / 23 | |
| 24.2.2 | 29 / 21 | |
| 24.2.1 | 29 / 21 | |
| 24.2.0 | 29 / 21 | |
| 24.1.3 | 29 / 21 | |
| 24.1.2 | 29 / 21 | |
| 24.1.1 | 29 / 22 | |
| 24.1.0 | 29 / 22 | |
| 24.0.0 | 29 / 22 | |
| 23.1.1 | 29 / 22 | |
| 23.1.0 | 29 / 22 | |
| 23.0.8 | 29 / 22 | |
| 23.0.7 | 29 / 22 | |
| 23.0.6 | 29 / 22 | |
| 23.0.5 | 29 / 22 | |
| 23.0.4 | 29 / 22 | |
| 23.0.3 | 29 / 22 | |
| 23.0.2 | 29 / 22 | |
| 23.0.1 | 29 / 22 | |
| 23.0.0 | 29 / 22 | |
| 22.0.12 | 29 / 22 | |
| 22.0.11 | 29 / 22 | |
| 22.0.10 | 29 / 22 | |
| 22.0.9 | 29 / 22 | |
| 22.0.8 | 29 / 22 | |
| 22.0.7 | 28 / 22 | |
| 22.0.6 | 28 / 22 | |
| 22.0.5 | 28 / 17 | |
| 22.0.4 | 28 / 17 | |
| 22.0.3 | 28 / 17 | |
| 22.0.2 | 28 / 17 | |
| 22.0.1 | 28 / 17 | |
| 22.0.0 | 28 / 17 | |
| 21.1.2 | 28 / 17 | |
| 21.1.1 | 28 / 17 | |
| 21.1.0 | 28 / 17 | |
| 21.0.9 | 28 / 17 | |
| 21.0.8 | 28 / 17 | |
| 21.0.7 | 28 / 17 | |
| 21.0.6 | 28 / 17 | |
| 21.0.5 | 28 / 17 | |
| 21.0.4 | 28 / 17 | |
| 21.0.3 | 28 / 17 | |
| 21.0.2 | 28 / 18 | |
| 21.0.1 | 28 / 18 | |
| 21.0.0 | 28 / 18 | |
| 20.1.3 | 28 / 18 | |
| 20.1.2 | 28 / 18 | |
| 20.1.1 | 28 / 18 | |
| 20.1.0 | 28 / 18 | |
| 20.0.4 | 28 / 18 | |
| 20.0.3 | 28 / 18 | |
| 20.0.2 | 28 / 18 | |
| 20.0.1 | 28 / 18 | |
| 20.0.0 | 28 / 18 | |
| 19.0.5 | 28 / 18 | |
| 19.0.4 | 28 / 18 | |
| 19.0.3 | 28 / 18 | |
| 19.0.2 | 28 / 18 | |
| 19.0.1 | 28 / 18 | |
| 19.0.0 | 28 / 18 | |
| 18.0.1 | 28 / 18 | |
| 18.0.0 | 28 / 18 | |
| 17.4.7 | 28 / 18 | |
| 17.4.6 | 28 / 18 | |
| 17.4.5 | 28 / 18 | |
| 17.4.4 | 28 / 18 | |
| 17.4.3 | 28 / 18 | |
| 17.4.2 | 28 / 18 | |
| 17.4.1 | 28 / 18 | |
| 17.4.0 | 28 / 18 | |
| 17.3.9 | 28 / 18 | |
| 17.3.8 | 28 / 18 | |
| 17.3.7 | 28 / 18 | |
| 17.3.6 | 28 / 18 | |
| 17.3.5 | 28 / 18 | |
| 17.3.4 | 28 / 18 | |
| 17.3.3 | 28 / 18 | |
| 17.3.2 | 28 / 18 | |
| 17.3.1 | 28 / 18 | |
| 17.3.0 | 28 / 18 | |
| 17.2.4 | 28 / 18 | |
| 17.2.3 | 28 / 18 | |
| 17.2.2 | 28 / 18 | |
| 17.2.1 | 28 / 18 | |
| 17.2.0 | 29 / 18 | |
| 17.1.2 | 28 / 18 | |
| 17.1.1 | 28 / 18 |
v25.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/semantic-release/semantic-release/blob/f4041244addfdea14558cbb11cc7211fb797943f/lib/git.js#L54 52 | gitLogParser.parse( 53 | { _: `${from ? from + ".." : ""}${to}` }, > 54 | { cwd: execaOptions.cwd, env: { ...process.env, ...execaOptions.env } } 55 | ) 56 | )
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.2
2 findingsThis version was published by a different npm account than previous versions on 2025-11-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.