npmpackage.info

Gathering detailed insights and metrics for @auto-it/npm

Gathering detailed insights and metrics for @auto-it/npm

@auto-it/npm - 11.3.0 | npmpackage.info

@auto-it/npm

Generate releases based on semantic version labels on pull requests.

11.3.0

2,353

MIT

TypeScript

113.23 kB

Installations

npm install @auto-it/npm

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Node Version

16.18.1

NPM Version

lerna/7.1.4/node@v16.18.1+x64 (linux)

Pull Requests

Open

42

Total

1,954

Closed

319

Merged

1,593

Issues

Open

117

Total

479

Closed

362

Releases

647

v11.3.0

Updated on Oct 25, 2024

v11.2.1

Updated on Aug 28, 2024

v11.2.0

Updated on Jul 17, 2024

v11.1.6

Updated on Apr 04, 2024

v11.1.5

Updated on Apr 04, 2024

v11.1.4

Updated on Apr 04, 2024

View All 647 releases

Languages

3

TypeScript

JavaScript

Ruby

TypeScript (98.9%)

JavaScript (1.01%)

Ruby (0.09%)

Developer

Download Statistics

Total Downloads

0

Last Day

0

Last Week

0

Last Month

0

Last Year

0

GitHub Statistics

MIT License

2,353 Stars

6,357 Commits

210 Forks

17 Watchers

49 Branches

96 Contributors

Updated on Jul 16, 2025

Maintainers

1

View All 96 Contributors

Package Meta Information

Latest Version

11.3.0

Package Id

@auto-it/npm@11.3.0

Unpacked Size

113.23 kB

Size

27.56 kB

File Count

15

NPM Version

lerna/7.1.4/node@v16.18.1+x64 (linux)

Node Version

16.18.1

Published on

Oct 25, 2024

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

0%

NaN

Compared to previous day

Last Week

0%

NaN

Compared to previous week

Last Month

0%

NaN

Compared to previous month

Last Year

0%

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

14

@auto-it/core @auto-it/package-json-utils await-to-js endent env-ci fp-ts get-monorepo-packages io-ts registry-url semver tslib typescript-memoize url-join user-home

Dev Dependencies

5

@octokit/rest @types/env-ci @types/semver @types/url-join @types/user-home

NPM Plugin

Publish to NPM. Works in both a monorepo setting and for a single package. This plugin is loaded by default when auto is installed through npm. If you configure auto to use any other plugin this will be lost. So you must add the npm plugin to your plugins array if you still want NPM functionality.

Prerequisites

To publish to npm you will need an NPM_TOKEN set in your environment.

Warning! Avoid using the prepublishOnly script as it can lead to errors. Read more here.

Installation

This plugin is included with the auto CLI so you do not have to install it. To install if you are using the auto API directly:

1npm i --save-dev @auto-it/npm
2# or
3yarn add -D @auto-it/npm

WARNING: You can only use one "package manager" at a time! Mixing them will lead to undesired results.

Usage

1{
2  "plugins": [
3    "npm",
4    // or with options
5    ["npm", { "forcePublish": false }]
6    // other plugins
7  ]
8}

If you're using the noVersionPrefix option you will also need to add tag-version-prefix="" to your .npmrc. Otherwise when npm versions your code the tag it creates will have the v and auto will get confused.

Monorepo Usage

The npm plugin works out of the box with lerna in both independent and fixed mode. auto works on a repo basis and should be run from the root of the repo, not on each sub-package. No additional setup is required.

Do you have a package in your monorepo you don't want to publish but still want versioned? Just set that "private": true you that package's package.json!

Options

setRcToken

When running the shipit command auto will try to set your .npmrc token while publishing. To disable this feature you must set the setRcToken to false.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "setRcToken": false
7      }
8    ]
9  ]
10}

forcePublish

By default auto will force publish all packages for monorepos. To disable this behavior you must set the forcePublish to false.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "forcePublish": false
7      }
8    ]
9  ]
10}

exact

To force all packages publish with exact versions.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "exact": true
7      }
8    ]
9  ]
10}

subPackageChangelogs

auto will create a changelog for each sub-package in a monorepo. You can disable this behavior by using the subPackageChangelogs option.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "subPackageChangelogs": false
7      }
8    ]
9  ]
10}

monorepoChangelog

auto will group changelog lines by sub-packages in a monorepo. You can disable this behavior by using the monorepoChangelog option.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "monorepoChangelog": false
7      }
8    ]
9  ]
10}

commitNextVersion

Whether to create a commit for "next" version. The default behavior will only create the tags.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "commitNextVersion": true
7      }
8    ]
9  ]
10}

legacyAuth

When publishing packages that require authentication but you are working with an internally hosted npm registry that only uses the legacy Base64 version of username:password. This is the same as the NPM publish _auth flag.

For security this option only accepts a boolean. When this option is set true auto will pass --_auth $NPM_TOKEN to the publish command. Set $NPM_TOKEN to the "Base64 version of username:password".

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "legacyAuth": true
7      }
8    ]
9  ]
10}

publishFolder

When publishing packages from a folder other than the project root the publishFolder config can be set.

When used with npm generates command similar to npm publish <publishFolder> ... more info can be found here: npm-publish.

When used with lerna in a monorepo, this functionality implements the --contents <publishFolder> flag, more info can be found here: lerna publish --contents.

:exclamation: NOTE: This functionality should be combined with a valid npm Life Cycle script, otherwise the version of the produced package will not align with the calculated/expected version generated by auto. See Life Cycle Scripts for additional info.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "publishFolder": "./dist/some-dir"
7      }
8    ]
9  ]
10}

Life Cycle Scripts

During the publish routine, this plugin will execute (npm version|npx lerna version), and then immediately follow-up with (npm publish|npx lerna publish). If you're attempting to publish a package from a directory other than the project root, its likely you're doing some sort of repository or package.json manipulation in an attempt to cleanup (remove devDependencies, scripts, fields) or otherwise manually construct your published package. Since this process is likely invoked prior to the version and publish event enacted by this plugin, the version in your processed package.json would not match the new version the plugin is attempting to publish (unless you've accounted for this in some other fashion). This simply means we need to insert ourselves between the version and publish stages of this plugin and re-process or otherwise update the package.json file in our publishFolder.

Appropriate life cycle scripts (which operate after version but before publish) would include [postversion, prepublishOnly, or prepack]. Its worth noting the postversion life cycle script will be enacted in the context of your root package.json file, while prepublishOnly and prepack would be enacted in the context of your publishFolder package.json file.

Example life cycle script which is triggered after (npm version|npx lerna version) and before (npm publish|npx lerna publish):

{
  "scripts": {
    "postversion": "cd <publishFolder> && npm version $npm_package_version --no-git-tag-version --no-commit-hooks --ignore-scripts",
  }
}

:warning: Warning! Use caution when pairing long-running life cyle scripts with auto. Read more here.

canaryScope

Publishing canary versions comes with some security risks. If your project is private you have nothing to worry about and can skip these, but if your project is open source there are some security holes.

:warning: This feature works pretty easily/well for single packages. In a monorepo we have to deal with a lot more, and this options should be treated as experimental.

Setup

Create a test scope that you publish canaries under (ex: @auto-canary or @auto-test)
Create a user that only has access to that scope
Set the default NPM_TOKEN to a token that can publish to that scope (this is used for any pull request)
Set up a secure token that is only accessible on the main fork (still named NPM_TOKEN)
Set up alias (only monorepos)

Step 3 might not be possible on your build platform.

The following are the ways the auto team knows how to do it. If you do not see the method for you build platform, please make a pull request!

Platform Solutions:

CircleCI Context - Contexts provide a mechanism for securing and sharing environment variables across projects. The environment variables are defined as name/value pairs and are injected at runtime.

1{
2  "plugins": [
3    [
4      "npm",
5      {
6        "canaryScope": "@auto-canary"
7      }
8    ]
9  ]
10}

Set up alias

If you are managing a non-monorepo you do not have to do anything for this step! If you manage a monorepo we still have to do handle our packages importing each other. Since we just changed the name of the package all imports to our packages are now broken!

There are multiple ways to make this work and the solution might be different depending on your build target.

module-alias - Modifiy node's require for your canary deploys (This is what auto uses). Useful for node packages
Webpack Aliases Modify scoped requires for webpack based projects.
babel-plugin-module-resolver - A Babel plugin to add a new resolver for your modules when compiling your code using Babel.

Troubleshooting

npm ERR! need auth auth required for publishing

This error will occur when you do not have a NPM_TOKEN set.

Still getting errors?!

Make sure that npm is trying to publish to the correct registry. Force npm/lerna to use the public registry by adding the following to your package.json:

1{
2  "publishConfig": {
3    "registry": "https://registry.npmjs.org/",
4    "access": "public"
5  }
6}

Empty State

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

6

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Fuzzing

Determines if the project uses fuzzing.

0

Security-Policy

Determines if the project has published a security policy.

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

86 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
Warn: Project is vulnerable to: GHSA-w8qv-6jwh-64r5
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-q8pj-2vqx-8ggc
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-mhxj-85r3-2x55
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
Warn: Project is vulnerable to: GHSA-4wx3-54gh-9fr9
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4
Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g
Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Warn: Project is vulnerable to: GHSA-vxf5-wxwp-m7g9
Warn: Project is vulnerable to: GHSA-9gr3-7897-pp7m
Warn: Project is vulnerable to: GHSA-25mp-g6fv-mqxx
Warn: Project is vulnerable to: GHSA-fmvm-x8mv-47mj
Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc
Warn: Project is vulnerable to: GHSA-g77x-44xx-532m
Warn: Project is vulnerable to: GHSA-7gfc-8cq8-jh5f
Warn: Project is vulnerable to: GHSA-qpjv-v59x-3qc4
Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
Warn: Project is vulnerable to: GHSA-22r3-9w55-cj54
Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
Warn: Project is vulnerable to: GHSA-926x-m6m5-3mmp
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693
Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc

Score

3.1

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.