semantic-release
Automated semver compliant package publishing
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): semantic-release migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation; this publisher change is legitimate and verifiable for this package. | ai | |
| dependencies | unvetted-dep:figures | AI (dependencies): figures is a well-known sindresorhus terminal symbols utility; a legitimate, benign dependency for semantic-release's CLI output. | ai | |
| phantom-deps | phantom-dep:@semantic-release/github | AI (phantom-deps): Default plugin loaded dynamically at runtime. Same pattern as @semantic-release/npm — stable false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): semantic-release is CI/CD tooling that intentionally propagates process.env to child git processes. This is expected behavior, not a vulnerability, and is stable across all versions. | ai | |
| phantom-deps | phantom-dep:@semantic-release/release-notes-generator | AI (phantom-deps): Default plugin loaded dynamically at runtime. Stable false positive for this plugin-based architecture. | ai | |
| phantom-deps | phantom-dep:@semantic-release/commit-analyzer | AI (phantom-deps): Default plugin loaded dynamically at runtime. Stable false positive for this plugin-based architecture. | ai | |
| phantom-deps | phantom-dep:@semantic-release/npm | AI (phantom-deps): Default plugin loaded dynamically at runtime via resolve-from/import-from-esm; static import analysis cannot detect this pattern. Stable false positive for this package. | ai |
Versions (showing 51 of 325)
| Version | Deps | Published |
|---|---|---|
| 25.0.3 | 28 / 23 | |
| 25.0.2 | 29 / 23 | |
| 24.2.9 | 29 / 23 | |
| 24.2.7 | 29 / 23 | |
| 24.2.6 | 29 / 23 | |
| 24.2.3 | 29 / 23 | |
| 24.2.2 | 29 / 21 | |
| 24.2.1 | 29 / 21 | |
| 24.1.2 | 29 / 21 | |
| 24.0.0 | 29 / 22 | |
| 23.1.0 | 29 / 22 | |
| 23.0.8 | 29 / 22 | |
| 23.0.7 | 29 / 22 | |
| 23.0.6 | 29 / 22 | |
| 23.0.5 | 29 / 22 | |
| 23.0.4 | 29 / 22 | |
| 23.0.3 | 29 / 22 | |
| 23.0.2 | 29 / 22 | |
| 23.0.1 | 29 / 22 | |
| 23.0.0 | 29 / 22 | |
| 22.0.12 | 29 / 22 | |
| 22.0.11 | 29 / 22 | |
| 22.0.10 | 29 / 22 | |
| 22.0.9 | 29 / 22 | |
| 22.0.8 | 29 / 22 | |
| 22.0.7 | 28 / 22 | |
| 22.0.6 | 28 / 22 | |
| 22.0.5 | 28 / 17 | |
| 22.0.4 | 28 / 17 | |
| 22.0.3 | 28 / 17 | |
| 22.0.2 | 28 / 17 | |
| 22.0.1 | 28 / 17 | |
| 22.0.0 | 28 / 17 | |
| 21.1.2 | 28 / 17 | |
| 21.1.1 | 28 / 17 | |
| 21.1.0 | 28 / 17 | |
| 21.0.9 | 28 / 17 | |
| 21.0.8 | 28 / 17 | |
| 21.0.7 | 28 / 17 | |
| 21.0.6 | 28 / 17 | |
| 21.0.5 | 28 / 17 | |
| 21.0.4 | 28 / 17 | |
| 21.0.3 | 28 / 17 | |
| 21.0.2 | 28 / 18 | |
| 21.0.1 | 28 / 18 | |
| 21.0.0 | 28 / 18 | |
| 20.1.3 | 28 / 18 | |
| 20.1.2 | 28 / 18 | |
| 20.1.1 | 28 / 18 | |
| 20.1.0 | 28 / 18 | |
| 20.0.4 | 28 / 18 |
v25.0.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/semantic-release/semantic-release/blob/f4041244addfdea14558cbb11cc7211fb797943f/lib/git.js#L54 52 | gitLogParser.parse( 53 | { _: `${from ? from + ".." : ""}${to}` }, > 54 | { cwd: execaOptions.cwd, env: { ...process.env, ...execaOptions.env } } 55 | ) 56 | )
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.2
2 findingsThis version was published by a different npm account than previous versions on 2025-11-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.