Gathering detailed insights and metrics for @commitlint/cli
Gathering detailed insights and metrics for @commitlint/cli
Installations
npm install @commitlint/cliDeveloper Guide
BETA
Typescript
No
Module System
ESM
Min. Node Version
>=v18
Node Version
18.20.8
NPM Version
lerna/8.2.2/node@v18.20.8+arm64 (darwin)
Score
87.3
Supply Chain
63.6
Quality
85.5
Maintenance
100
Vulnerability
95.6
License
Releases
167
Languages
2
TypeScript
JavaScript
TypeScript (90.61%)
JavaScript (9.39%)
Developer
Download Statistics
Total Downloads
526,179,686
Last Day
208,927
Last Week
4,060,577
Last Month
17,287,017
Last Year
173,001,652
GitHub Statistics
MIT License
17,688 Stars
3,061 Commits
929 Forks
63 Watchers
26 Branches
273 Contributors
Updated on Jul 08, 2025
Bundle Size
274.00 B
Minified
196.00 B
Minified + Gzipped
Maintainers
4
Package Meta Information
Latest Version
19.8.1
Package Id
@commitlint/cli@19.8.1
Unpacked Size
31.69 kB
Size
9.52 kB
File Count
17
NPM Version
lerna/8.2.2/node@v18.20.8+arm64 (darwin)
Node Version
18.20.8
Published on
May 08, 2025
Total Downloads
Cumulative downloads
Total Downloads
526,179,686
Last Day
-12.7%
208,927
Compared to previous day
Last Week
-9.1%
4,060,577
Compared to previous week
Last Month
6.8%
17,287,017
Compared to previous month
Last Year
37.1%
173,001,652
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Get Started | Website
Lint commit messages
Demo generated with svg-term-cli
cat docs/assets/commitlint.json | svg-term --out docs/public/assets/commitlint.svg --frame --profile=Seti --height=20 --width=80
- 🚓 Be a good
commitizen - 📦 Share configuration via
npm - 🤖 Tap into
conventional-changelog
Contents
What is commitlint
commitlint checks if your commit messages meet the conventional commit format.
In general the pattern mostly looks like this:
1type(scope?): subject #scope is optional; multiple scopes are supported (current delimiter options: "/", "\" and ",")
Real world examples can look like this:
1chore: run tests on travis ci
1fix(server): send cors headers
1feat(blog): add comment section
Common types according to commitlint-config-conventional (based on the Angular convention) can be:
- build
- chore
- ci
- docs
- feat
- fix
- perf
- refactor
- revert
- style
- test
These can be modified by your own configuration.
Benefits of using commitlint
Getting started
- Local setup - Lint messages on commit with husky
- CI setup - Lint messages during CI builds
CLI
- Primary way to interact with commitlint.
npm install --save-dev @commitlint/cli- Packages: cli
Config
- Configuration is picked up from:
.commitlintrc.commitlintrc.json.commitlintrc.yaml.commitlintrc.yml.commitlintrc.js.commitlintrc.cjs.commitlintrc.mjs.commitlintrc.ts.commitlintrc.ctscommitlint.config.jscommitlint.config.cjscommitlint.config.mjscommitlint.config.tscommitlint.config.ctscommitlintfield inpackage.jsoncommitlintfield inpackage.yaml
- Packages: cli, core
- See Rules for a complete list of possible rules
- An example configuration can be found at @commitlint/config-conventional
Important note about Node 24+
Node v24 changes the way that modules are loaded, and this includes the commitlint config file. If your project does not contain a package.json, commitlint may fail to load the config, resulting in a Please add rules to your commitlint.config.js error message. This can be fixed by doing either of the following:
- Add a
package.jsonfile, declaring your project as an ES6 module. This can be done easily by runningnpm init es6. - Rename the config file from
commitlint.config.jstocommitlint.config.mjs.
Shared configuration
A number of shared configurations are available to install and use with commitlint:
- @commitlint/config-angular
- @commitlint/config-conventional
- @commitlint/config-lerna-scopes
- @commitlint/config-nx-scopes
- @commitlint/config-patternplate
- @commitlint/config-workspace-scopes
- conventional-changelog-lint-config-atom
- conventional-changelog-lint-config-canonical
⚠️ If you want to publish your own shareable config then make sure it has a name aligning with the pattern
commitlint-config-emoji-logorcommitlint-config-your-config-name— then in extend all you have to write isemoji-logoryour-config-name.
Documentation
Check the main website.
API
- Alternative, programmatic way to interact with
commitlint - Packages:
- See API for a complete list of methods and examples
Tools
Roadmap
commitlint is considered stable and is used in various projects as a development tool.
Version Support and Releases
- Node.js LTS
>= 18 - git
>= 2.13.2
Releases
Security patches will be applied to versions which are not yet EOL.
Features will only be applied to the current main version.
| Release | Initial release |
|---|---|
| v19 | 02/2024 |
| v18 | 10/2023 |
EOL is usually after around a year.
We're not a sponsored OSS project. Therefore we can't promise that we will release patch versions for older releases in a timely manner.
If you are stuck on an older version and need a security patch we're happy if you can provide a PR.
Related projects
- conventional-changelog Generate a changelog from conventional commit history
- commitizen Simple commit conventions for internet citizens
- create-semantic-module CLI for quickly integrating commitizen and commitlint in new or existing projects
License
Copyright by @marionebl. All commitlint packages are released under the MIT license.
Development
commitlint is developed in a mono repository.
Install and run
1git clone git@github.com:conventional-changelog/commitlint.git 2cd commitlint 3yarn 4yarn run build # run build tasks 5yarn start # run tests, again on change 6yarn run commitlint # run CLI
For more information on how to contribute please take a look at our contribution guide.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: license.md:0
- Info: FSF or OSI recognized license: MIT License: license.md:0
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/container-build.yml:12
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/CI.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/CI.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/CI.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/CI.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/CI.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/commitlint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/commitlint.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/commitlint.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/commitlint.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/container-build.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-deploy.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/docs-deploy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-deploy.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/docs-deploy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-deploy.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/docs-deploy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-deploy.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/docs-deploy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-deploy.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/conventional-changelog/commitlint/docs-deploy.yml/master?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile.ci:2
- Warn: containerImage not pinned by hash: Dockerfile.ci:29: pin your Docker image by updating docker.io/library/node:18-alpine to docker.io/library/node:18-alpine@sha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e
- Warn: containerImage not pinned by hash: Dockerfile.dev:2: pin your Docker image by updating brainpower/node-cubicle to brainpower/node-cubicle@sha256:6e49767749c600da4405b0acc7b7a7494db077f39f6464b904473d1068302542
- Warn: npmCommand not pinned by hash: Dockerfile.ci:32-35
- Warn: npmCommand not pinned by hash: .github/workflows/CI.yml:77
- Info: 0 out of 13 GitHub-owned GitHubAction dependencies pinned
- Info: 5 out of 5 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 containerImage dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/CI.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/commitlint.yml:9
- Warn: no topLevel permission defined: .github/workflows/container-build.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/docs-deploy.yml:10
- Info: no jobLevel write permissions found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Score
6.2
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More