conventional-changelog
Generate a changelog from git metadata.
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
bcoeoss-botdangreenandytjoslinstevemaomarionebltapppi
Keywords
conventional-changelogconventionalchangeloglogcli
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer consolidation under oss-bot automation is a documented transition for the conventional-changelog org; removal of legacy maintainers is expected and not a takeover signal. | ai | |
| provenance | missing-githead | AI (provenance): Publisher changed to oss-bot (CI automation), which commonly omits gitHead. No malicious indicators; consistent with legitimate CI/CD publishing transition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from stevemao to tommywo reflects a legitimate maintainer transition within the conventional-changelog GitHub org; tommywo has 111 approved packages and 6+ year npm history. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are known contributors to the conventional-changelog GitHub organization; this is a legitimate organizational handoff, not a compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Both new deps (conventional-changelog-preset-loader, conventional-changelog-conventionalcommits) are part of the same conventional-changelog monorepo/org; legitimate feature additions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in cli.js is used to load user-supplied context files via CLI flags — an intentional, documented feature of this changelog CLI tool, not a security risk. | ai | |
| dependencies | unvetted-dep:conventional-changelog-eslint | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-atom | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-angular | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-core | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-conventionalcommits | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-codemirror | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-express | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-ember | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with strong publisher track record; lack of provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:conventional-changelog-jshint | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:conventional-changelog-jquery | AI (dependencies): First-party dep from the same conventional-changelog monorepo; stable pattern for this package. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() calls are hardcoded git commands (e.g., 'git tag') needed for changelog generation — not dynamic input, not malicious. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Package generates changelogs by running git commands; child_process import is core to its documented purpose and not a security risk. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-conventionalcommits | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-atom | AI (phantom-deps): conventional-changelog is a meta-package; presets are loaded dynamically via preset-loader, not statically imported. Phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-ember | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-eslint | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-jquery | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-jshint | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-angular | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-express | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-codemirror | AI (phantom-deps): Same as above — dynamic preset loading means static import analysis will never find direct imports of preset packages. | ai | |
| source-diff | obfuscated-file:dist/ConventionalChangelog.js | AI (source-diff): File is compiled/bundled ESM output with readable class definitions and changelog logic. Long lines are bundler artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cli/cli.js | AI (source-diff): File is compiled/bundled ESM output, not obfuscated. Long lines are from bundler inlining; code is clearly readable CLI logic for conventional-changelog. | ai | |
| source-diff | obfuscated-file:dist/hostedGitInfo.mock.js | AI (source-diff): File is a test fixture/mock data file containing URL parsing test cases. Large size is due to data volume, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/hostedGitInfo.js | AI (source-diff): File is compiled/bundled ESM output with readable git hosting URL parsing logic. Long lines are bundler artifacts, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/normalize-package-data | AI (phantom-deps): TypeScript types package; loaded by convention. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-commits-parser | AI (phantom-deps): conventional-commits-parser is loaded dynamically via preset loader. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:normalize-package-data | AI (phantom-deps): normalize-package-data is loaded dynamically for package metadata processing. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:fd-package-json | AI (phantom-deps): fd-package-json is loaded dynamically for package.json discovery. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:meow | AI (phantom-deps): meow is a CLI argument parser; dynamically loaded by CLI entry point. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-preset-loader | AI (phantom-deps): conventional-changelog-preset-loader is loaded dynamically for preset discovery. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conventional-changelog/git-client | AI (phantom-deps): @conventional-changelog/git-client is loaded dynamically for git operations. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-writer | AI (phantom-deps): conventional-changelog-writer is loaded dynamically via preset loader. Stable pattern for this package. | ai |
Versions (showing 1 of 101)
| Version | Deps | Published |
|---|---|---|
| 0.0.1 | 1 / 3 |
v0.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.