@changesets/cli
Organise your package versioning and publishing to make both contributors and maintainers happy
5
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
novinychangesets-release-botemmatownandarist
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): changesets-release-bot is the established automated publisher for @changesets scope. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transition to changesets-release-bot in 2019; stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): All dynamic-require findings are in test files, used to read back written JSON fixtures for assertion. Not production code; no arbitrary module loading risk. | ai | |
| phantom-deps | phantom-dep:@changesets/git | AI (phantom-deps): Same-org scoped package loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:get-workspaces | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:meow | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:boxen | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:is-ci | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:outdent | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:p-limit | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:pkg-dir | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:enquirer | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:term-size | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:tty-table | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:spawndamnit | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): Framework-scoped type package loaded by convention; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@changesets/pre | AI (phantom-deps): Same-org scoped package in monorepo; phantom dependency pattern is expected and stable. | ai | |
| phantom-deps | phantom-dep:lodash.startcase | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:cli-table | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:detect-indent | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:fuzzy | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:globby | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @changesets/cli is a well-known scoped package with no relation to 'joi'; the Levenshtein match is a false positive driven by the short length of 'joi' vs. the full scoped name. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker for established packages with strong publisher track records. | ai | |
| phantom-deps | phantom-dep:@types/is-ci | AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:@types/semver | AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:human-id | AI (phantom-deps): Referenced in config files for changeset ID generation; legitimate use pattern for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ansi-colors is a well-known, benign terminal color utility; its addition is consistent with CLI tooling and poses no supply chain risk. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep loaded by Babel transpilation; not directly imported but legitimately used. | ai | |
| bogus-package | bogus-package | AI (bogus-package): @changesets/cli is a well-known monorepo sub-package; sparse README and missing keywords are expected for scoped packages that defer to the main repo docs. Not a spam/bogus package. | ai | |
| dependencies | unvetted-dep:term-size | AI (dependencies): term-size is a legitimate Sindre Sorhus package for terminal size detection; its use in a CLI tool is expected and appropriate. | ai |
Versions (showing 5 of 105)
| Version | Deps | Published |
|---|---|---|
| 1.1.2 | 21 / 1 | |
| 1.1.1 | 21 / 1 | |
| 1.1.0 | 20 / 1 | |
| 1.0.1 | 20 / 1 | |
| 1.0.0 | 20 / 1 |
v1.1.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.