@semantic-release/last-release-npm
Determine the version of the last release via the npm registry
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): The transition from semantic-release to semantic-release-bot occurred in Dec 2016 and reflects the org's standard practice of using an automation bot. semantic-release-bot has 976 approved packages and is the official publisher for the @semantic-release scope. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): semantic-release-bot is the official automation account for the semantic-release org; its addition is a legitimate and long-standing organizational transition, not a compromise. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of the human semantic-release account in favor of the bot account is a documented org practice, not a hijack signal for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from gr2m to semantic-release-bot is the documented, well-known transition to the official semantic-release automation account. Occurred in 2017; bot has 970 approved packages and 0 rejections. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.0.2 | 3 / 18 | |
| 2.0.1 | 3 / 18 | |
| 2.0.0 | 3 / 11 | |
| 1.2.1 | 3 / 10 | |
| 1.2.0 | 3 / 10 | |
| 1.1.2 | 3 / 10 | |
| 1.1.1 | 3 / 10 | |
| 1.1.0 | 3 / 10 | |
| 1.0.1 | 3 / 10 | |
| 1.0.0 | 3 / 10 |
v2.0.2
2 findingsThis version was published by a different npm account than previous versions on 2017-10-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
3 findingsAll previous maintainers (semantic-release) were replaced by new maintainers (semantic-release-bot). This is a strong signal of a potential package hijack and requires careful review.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-02. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.