← Home

@semantic-release/npm

npm Repository Homepage

semantic-release plugin to publish a npm package

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

pvdlgsemantic-release-botgr2mtravi

Keywords

npmpublishregistrysemantic-releaseversion

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): semantic-release/npm uses GitHub Actions CI/CD with semantic-release for automated publishing; transition from semantic-release-bot to GitHub Actions is the expected workflow for this project. ai
phantom-deps phantom-dep:npm AI (phantom-deps): npm is a legitimate runtime dependency for this package — it wraps npm CLI functionality. Referenced in config files is expected behavior, not a phantom dep. ai

Versions (showing 100 of 111)

Version Deps Published
13.1.5 15 / 15
13.1.4 15 / 15
13.1.3 15 / 15
13.1.2 15 / 15
13.1.1 15 / 15
13.1.0 15 / 15
13.0.0 13 / 15
12.0.2 13 / 14
12.0.1 13 / 15
12.0.0 13 / 15
11.0.3 13 / 10
11.0.2 13 / 10
11.0.1 13 / 10
11.0.0 13 / 10
10.0.6 13 / 10
10.0.5 13 / 10
10.0.4 13 / 11
10.0.3 13 / 12
10.0.2 13 / 12
10.0.1 13 / 12
10.0.0 13 / 12
9.0.2 13 / 13
9.0.1 13 / 13
9.0.0 13 / 13
8.0.3 13 / 13
8.0.2 13 / 13
8.0.1 13 / 13
8.0.0 13 / 13
7.1.3 13 / 13
7.1.2 13 / 13
7.1.1 13 / 13
7.1.0 13 / 13
7.0.10 13 / 13
7.0.9 13 / 13
7.0.8 13 / 13
7.0.7 13 / 13
7.0.6 13 / 13
7.0.5 13 / 13
7.0.4 13 / 13
7.0.3 13 / 13
7.0.2 13 / 13
7.0.1 13 / 13
7.0.0 13 / 13
6.0.0 13 / 13
5.3.5 12 / 13
5.3.4 12 / 13
5.3.3 12 / 13
5.3.2 12 / 13
5.3.1 12 / 13
5.3.0 12 / 13
5.2.0 11 / 14
5.1.15 11 / 16
5.1.14 11 / 18
5.1.13 11 / 18
5.1.12 11 / 18
5.1.11 11 / 18
5.1.10 11 / 18
5.1.9 11 / 18
5.1.8 11 / 18
5.1.7 11 / 18
5.1.6 11 / 18
5.1.5 11 / 18
5.1.4 11 / 18
5.1.3 11 / 18
5.1.2 11 / 18
5.1.1 11 / 18
5.1.0 11 / 18
5.0.6 14 / 18
5.0.5 14 / 18
5.0.4 14 / 18
5.0.3 14 / 18
5.0.2 14 / 18
5.0.1 14 / 18
5.0.0 14 / 18
4.0.2 13 / 17
4.0.1 13 / 17
4.0.0 13 / 17
3.4.1 12 / 17
3.4.0 12 / 17
3.3.4 12 / 17
3.3.2 12 / 17
3.3.1 12 / 17
3.3.0 12 / 17
3.2.5 9 / 17
3.2.4 9 / 17
3.2.3 9 / 17
3.2.2 9 / 17
3.2.1 9 / 17
3.2.0 9 / 17
3.1.0 9 / 20
3.0.2 8 / 20
3.0.1 8 / 20
3.0.0 8 / 20
2.7.0 11 / 20
2.6.4 11 / 20
2.6.3 10 / 20
2.6.2 10 / 20
2.6.1 10 / 20
2.6.0 10 / 20
2.5.0 10 / 20
Showing 100 of 111 Next page →

v13.1.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.3

2 findings
HIGH Publisher changed: semantic-release-bot → GitHub Actions (on 2025-12-12) provenance

This version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.2

2 findings
HIGH Publisher changed: semantic-release-bot → GitHub Actions (on 2025-11-14) provenance

This version was published by a different npm account than previous versions on 2025-11-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.