conventional-changelog
Generate a changelog from git metadata.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer consolidation under oss-bot automation is a documented transition for the conventional-changelog org; removal of legacy maintainers is expected and not a takeover signal. | ai | |
| provenance | missing-githead | AI (provenance): Publisher changed to oss-bot (CI automation), which commonly omits gitHead. No malicious indicators; consistent with legitimate CI/CD publishing transition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from stevemao to tommywo reflects a legitimate maintainer transition within the conventional-changelog GitHub org; tommywo has 111 approved packages and 6+ year npm history. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are known contributors to the conventional-changelog GitHub organization; this is a legitimate organizational handoff, not a compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Both new deps (conventional-changelog-preset-loader, conventional-changelog-conventionalcommits) are part of the same conventional-changelog monorepo/org; legitimate feature additions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in cli.js is used to load user-supplied context files via CLI flags — an intentional, documented feature of this changelog CLI tool, not a security risk. | ai | |
| dependencies | unvetted-dep:conventional-changelog-eslint | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-atom | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-angular | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-core | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-conventionalcommits | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-codemirror | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-express | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-ember | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with strong publisher track record; lack of provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:conventional-changelog-jshint | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-jquery | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() calls are hardcoded git commands (e.g., 'git tag') needed for changelog generation — not dynamic input, not malicious. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Package generates changelogs by running git commands; child_process import is core to its documented purpose and not a security risk. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-conventionalcommits | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-atom | AI (phantom-deps): conventional-changelog is a meta-package; presets are loaded dynamically via preset-loader, not statically imported. Phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-ember | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-eslint | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-jquery | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-jshint | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-angular | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-express | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-codemirror | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| source-diff | obfuscated-file:dist/ConventionalChangelog.js | AI (source-diff): File is compiled/bundled ESM output with readable class definitions and changelog logic. Long lines are bundler artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cli/cli.js | AI (source-diff): File is compiled/bundled ESM output, not obfuscated. Long lines are from bundler inlining; code is clearly readable CLI logic for conventional-changelog. | ai | |
| source-diff | obfuscated-file:dist/hostedGitInfo.mock.js | AI (source-diff): File is a test fixture/mock data file containing URL parsing test cases. Large size is due to data volume, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/hostedGitInfo.js | AI (source-diff): File is compiled/bundled ESM output with readable git hosting URL parsing logic. Long lines are bundler artifacts, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/normalize-package-data | AI (phantom-deps): TypeScript types package; loaded by convention. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-commits-parser | AI (phantom-deps): conventional-commits-parser is loaded dynamically via preset loader. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:normalize-package-data | AI (phantom-deps): normalize-package-data is loaded dynamically for package metadata processing. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:fd-package-json | AI (phantom-deps): fd-package-json is loaded dynamically for package.json discovery. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:meow | AI (phantom-deps): meow is a CLI argument parser; dynamically loaded by CLI entry point. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-preset-loader | AI (phantom-deps): conventional-changelog-preset-loader is loaded dynamically for preset discovery. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conventional-changelog/git-client | AI (phantom-deps): @conventional-changelog/git-client is loaded dynamically for git operations. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-writer | AI (phantom-deps): conventional-changelog-writer is loaded dynamically via preset loader. Stable pattern for this package. | ai |
Versions (showing 51 of 101)
| Version | Deps | Published |
|---|---|---|
| 7.2.0 | 9 / 0 | |
| 7.1.1 | 8 / 0 | |
| 7.1.0 | 8 / 0 | |
| 7.0.2 | 8 / 0 | |
| 7.0.1 | 8 / 0 | |
| 7.0.0 | 8 / 0 | |
| 6.0.0 | 11 / 0 | |
| 5.1.0 | 11 / 0 | |
| 5.0.0 | 11 / 0 | |
| 4.0.0 | 11 / 0 | |
| 3.1.25 | 11 / 0 | |
| 3.1.24 | 11 / 0 | |
| 3.1.23 | 11 / 0 | |
| 3.1.22 | 11 / 0 | |
| 3.1.21 | 11 / 0 | |
| 3.1.20 | 11 / 0 | |
| 3.1.19 | 11 / 0 | |
| 3.1.18 | 11 / 0 | |
| 3.1.17 | 11 / 0 | |
| 3.1.16 | 11 / 0 | |
| 3.1.15 | 11 / 0 | |
| 3.1.14 | 11 / 0 | |
| 3.1.13 | 11 / 0 | |
| 3.1.12 | 11 / 0 | |
| 3.1.10 | 11 / 0 | |
| 3.1.9 | 11 / 0 | |
| 3.1.8 | 11 / 0 | |
| 3.1.7 | 11 / 0 | |
| 3.1.6 | 11 / 0 | |
| 3.1.5 | 11 / 0 | |
| 3.1.4 | 11 / 0 | |
| 3.1.3 | 11 / 0 | |
| 3.1.2 | 11 / 0 | |
| 3.1.1 | 11 / 0 | |
| 3.0.6 | 10 / 0 | |
| 3.0.5 | 10 / 0 | |
| 3.0.4 | 10 / 0 | |
| 3.0.3 | 10 / 0 | |
| 3.0.2 | 10 / 0 | |
| 3.0.1 | 10 / 0 | |
| 2.0.3 | 11 / 2 | |
| 2.0.2 | 11 / 2 | |
| 2.0.1 | 11 / 2 | |
| 2.0.0 | 11 / 2 | |
| 1.1.24 | 11 / 2 | |
| 1.1.23 | 11 / 2 | |
| 1.1.22 | 11 / 2 | |
| 1.1.21 | 11 / 2 | |
| 1.1.20 | 11 / 2 | |
| 1.1.19 | 11 / 2 | |
| 1.1.18 | 11 / 2 |
v6.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-03. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.
This version was published by a different npm account than previous versions on 2023-09-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.
This version was published by a different npm account than previous versions on 2023-08-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.
This version was published by a different npm account than previous versions on 2023-06-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.25
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oss-bot.
This version was published by a different npm account than previous versions on 2021-12-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.24
2 findingsThis version was published by a different npm account than previous versions on 2020-11-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.23
2 findingsThis version was published by a different npm account than previous versions on 2020-08-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.22
2 findingsThis version was published by a different npm account than previous versions on 2020-06-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.21
2 findingsThis version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.20
2 findingsThis version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.19
2 findingsThis version was published by a different npm account than previous versions on 2019-12-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.18
2 findingsThis version was published by a different npm account than previous versions on 2019-12-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.17
2 findingsThis version was published by a different npm account than previous versions on 2019-11-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.16
2 findingsThis version was published by a different npm account than previous versions on 2019-11-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.15
2 findingsThis version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.14
2 findingsThis version was published by a different npm account than previous versions on 2019-11-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.13
2 findingsThis version was published by a different npm account than previous versions on 2019-10-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.12
2 findingsThis version was published by a different npm account than previous versions on 2019-10-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.10
2 findingsThis version was published by a different npm account than previous versions on 2019-07-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.9
2 findingsThis version was published by a different npm account than previous versions on 2019-05-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.8
2 findingsThis version was published by a different npm account than previous versions on 2019-05-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.7
2 findingsThis version was published by a different npm account than previous versions on 2019-05-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.6
2 findingsThis version was published by a different npm account than previous versions on 2019-05-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.5
2 findingsThis version was published by a different npm account than previous versions on 2019-04-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
2 findingsThis version was published by a different npm account than previous versions on 2019-04-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
2 findingsThis version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
2 findingsThis version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
2 findingsThis version was published by a different npm account than previous versions on 2019-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
2 findingsThis version was published by a different npm account than previous versions on 2019-02-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
2 findingsThis version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
2 findingsThis version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
2 findingsThis version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
2 findingsThis version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
2 findingsThis version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-06-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-05-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.24
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.23
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.22
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.21
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.20
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.19
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.18
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hbetts.
This version was published by a different npm account than previous versions on 2018-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.