@salesforce/plugin-release-management

A plugin for preparing and publishing npm packages

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ire-npm-team-userjimjagsalesforce-releasesjasonschroeder-sfdcmobifylwc-adminsalesforce-admin

Keywords

forcesalesforcesfdxsalesforcedxsfdx-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:commit-and-tag-version	AI (dependencies): commit-and-tag-version is the established community fork of standard-version; legitimate replacement dep for this release tooling package.	ai	2026/05/02
phantom-deps	phantom-dep:standard-version	AI (phantom-deps): standard-version is a release tooling dependency invoked via config/scripts, not directly imported. Expected pattern for a release management plugin.	ai	2026/04/27
phantom-deps	phantom-dep:yarn-deduplicate	AI (phantom-deps): yarn-deduplicate is a CLI tool invoked via scripts, not imported as a module. Phantom dep finding is a false positive for this usage pattern.	ai	2026/04/25
phantom-deps	phantom-dep:commit-and-tag-version	AI (phantom-deps): commit-and-tag-version is a CLI tool invoked via scripts, not imported as a module. Phantom dep finding is a false positive for this usage pattern.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): env spread is used to pass current environment to a child process for JIT installation testing — standard CLI tooling pattern, not credential exfiltration.	ai	2026/04/25
phantom-deps	phantom-dep:@salesforce/plugin-command-reference	AI (phantom-deps): Same-org Salesforce package used as an oclif devPlugin; phantom dep finding is not meaningful here.	ai	2026/04/25
phantom-deps	phantom-dep:@salesforce/cli-plugins-testkit	AI (phantom-deps): Same-org Salesforce package used as an oclif plugin dependency; phantom dep finding is not meaningful here.	ai	2026/04/25
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used to decode GitHub API file content responses, which are always base64-encoded by the GitHub API. Legitimate and expected pattern.	ai	2026/04/25

Versions (showing 35 of 137)

Version	Deps	Published
5.7.53	22 / 10	2025-08-09
5.7.52	22 / 10	2025-08-02
5.7.51	22 / 10	2025-07-26
5.7.50	22 / 10	2025-07-26
5.7.49	22 / 10	2025-07-26
5.7.48	22 / 10	2025-07-22
5.7.47	22 / 10	2025-07-19
5.7.46	22 / 10	2025-07-19
5.7.45	22 / 10	2025-07-12
5.7.44	22 / 10	2025-07-12
5.7.43	22 / 10	2025-07-12
5.7.42	22 / 10	2025-07-05
5.7.41	22 / 10	2025-07-05
5.7.40	22 / 10	2025-06-29
5.7.39	22 / 10	2025-06-28
5.7.38	22 / 10	2025-06-21
5.7.37	22 / 10	2025-06-21
5.7.36	22 / 10	2025-06-15
5.7.35	22 / 10	2025-06-14
5.7.34	22 / 10	2025-06-07
5.7.33	22 / 10	2025-06-07
5.7.32	22 / 10	2025-05-24
5.7.31	22 / 10	2025-05-24
5.7.30	22 / 10	2025-05-18
5.7.29	22 / 10	2025-05-17
5.7.28	22 / 10	2025-05-17
5.7.27	22 / 10	2025-05-10
5.7.26	22 / 10	2025-05-10
5.7.25	22 / 10	2025-05-10
5.7.24	22 / 10	2025-05-04
5.7.23	22 / 10	2025-05-03
5.7.22	22 / 10	2025-05-03
5.7.21	22 / 10	2025-05-03
5.7.20	22 / 10	2025-04-26
5.7.19	22 / 10	2025-04-26