Gathering detailed insights and metrics for semantic-release
Gathering detailed insights and metrics for semantic-release
📦🚀 Fully automated version management and package publishing
Installations
npm install semantic-releaseDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=20.8.1
Node Version
22.17.0
NPM Version
10.9.3
Releases
425
v24.2.7
v24.2.7
Updated on Jul 11, 2025
v25.0.0-alpha.4
v25.0.0-alpha.4
Updated on Jul 10, 2025
v25.0.0-alpha.3
v25.0.0-alpha.3
Updated on Jul 10, 2025
v25.0.0-alpha.2
v25.0.0-alpha.2
Updated on Jul 09, 2025
v25.0.0-alpha.1
v25.0.0-alpha.1
Updated on Jul 09, 2025
v25.0.0-beta.3
v25.0.0-beta.3
Updated on Jul 03, 2025
Languages
1
JavaScript
JavaScript (100%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
22,223 Stars
1,807 Commits
1,747 Forks
59 Watchers
14 Branches
245 Contributors
Updated on Jul 13, 2025
Maintainers
4
Package Meta Information
Latest Version
24.2.7
Package Id
semantic-release@24.2.7
Unpacked Size
285.93 kB
Size
72.32 kB
File Count
66
NPM Version
10.9.3
Node Version
22.17.0
Published on
Jul 11, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
29
@semantic-release/commit-analyzer@semantic-release/error@semantic-release/github@semantic-release/npm@semantic-release/release-notes-generatoraggregate-errorcosmiconfigdebugenv-ciexecafiguresfind-versionsget-streamgit-log-parserhook-stdhosted-git-infoimport-from-esmlodash-esmarkedmarked-terminalmicromatchp-each-seriesp-reduceread-package-upresolve-fromsemversemver-diffsignaleyargs
📦🚀 semantic-release
Fully automated version management and package publishing
semantic-release automates the whole package release workflow including: determining the next version number, generating the release notes, and publishing the package.
This removes the immediate connection between human emotions and version numbers, strictly following the Semantic Versioning specification and communicating the impact of changes to consumers.
Trust us, this will change your workflow for the better. – egghead.io
Highlights
- Fully automated release
- Enforce Semantic Versioning specification
- New features and fixes are immediately available to users
- Notify maintainers and users of new releases
- Use formalized commit message convention to document changes in the codebase
- Publish on different distribution channels (such as npm dist-tags) based on git merges
- Integrate with your continuous integration workflow
- Avoid potential errors associated with manual releases
- Support any package managers and languages via plugins
- Simple and reusable configuration via shareable configurations
- Support for npm package provenance that promotes increased supply-chain security via signed attestations on GitHub Actions
How does it work?
Commit message format
semantic-release uses the commit messages to determine the consumer impact of changes in the codebase. Following formalized conventions for commit messages, semantic-release automatically determines the next semantic version number, generates a changelog and publishes the release.
By default, semantic-release uses Angular Commit Message Conventions.
The commit message format can be changed with the preset or config options of the @semantic-release/commit-analyzer and @semantic-release/release-notes-generator plugins.
Tools such as commitizen or commitlint can be used to help contributors and enforce valid commit messages.
The table below shows which commit message gets you which release type when semantic-release runs (using the default configuration):
| Commit message | Release type |
|---|---|
fix(pencil): stop graphite breaking when too much pressure applied | |
feat(pencil): add 'graphiteWidth' option | |
perf(pencil): remove graphiteWidth optionBREAKING CHANGE: The graphiteWidth option has been removed.The default graphite width of 10mm is always used for performance reasons. | (Note that the BREAKING CHANGE: token must be in the footer of the commit) |
Automation with CI
semantic-release is meant to be executed on the CI environment after every successful build on the release branch. This way no human is directly involved in the release process and the releases are guaranteed to be unromantic and unsentimental.
Triggering a release
For each new commit added to one of the release branches (for example: master, main, next, beta), with git push or by merging a pull request or merging from another branch, a CI build is triggered and runs the semantic-release command to make a release if there are codebase changes since the last release that affect the package functionalities.
semantic-release offers various ways to control the timing, the content and the audience of published releases. See example workflows in the following recipes:
Release steps
After running the tests, the command semantic-release will execute the following steps:
| Step | Description |
|---|---|
| Verify Conditions | Verify all the conditions to proceed with the release. |
| Get last release | Obtain the commit corresponding to the last release by analyzing Git tags. |
| Analyze commits | Determine the type of release based on the commits added since the last release. |
| Verify release | Verify the release conformity. |
| Generate notes | Generate release notes for the commits added since the last release. |
| Create Git tag | Create a Git tag corresponding to the new release version. |
| Prepare | Prepare the release. |
| Publish | Publish the release. |
| Notify | Notify of new releases or errors. |
Requirements
In order to use semantic-release you need:
- To host your code in a Git repository
- Use a Continuous Integration service that allows you to securely set up credentials
- A Git CLI version that meets our version requirement installed in your Continuous Integration environment
- A Node.js version that meets our version requirement installed in your Continuous Integration environment
Documentation
- Usage
- Extending
- Recipes
- Developer guide
- Support
Get help
Badge
Let people know that your package is published using semantic-release and which commit-convention is followed by including this badge in your readme.
1[](https://github.com/semantic-release/semantic-release)
Team
 |  |  |
|---|---|---|
| Gregor Martynus | Pierre Vanduynslager | Matt Travi |
Alumni
 |  |  |  |  |
|---|---|---|---|---|
| Stephan Bönnemann | Rolf Erik Lekang | Johannes Jörg Schmidt | Finn Pauls | Christoph Witzko |
High
8.1/10
Summary
Secret disclosure when containing characters that become URI encoded
Affected Versions
<= 17.2.2
Patched Versions
17.2.3
Moderate
4.4/10
Summary
Exposure of Sensitive Information to an Unauthorized Actor in semantic-release
Affected Versions
>= 17.0.4, < 19.0.3
Patched Versions
19.0.3
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
no binaries found in the repo
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:10
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:16
- Info: no jobLevel write permissions found
Reason
update tool detected
Details
- Info: detected update tool: Dependabot: :0
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:12
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/semantic-release/.github/.github/SECURITY.md:1
- Info: Found linked content: github.com/semantic-release/.github/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/semantic-release/.github/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/semantic-release/.github/.github/SECURITY.md:1
Reason
0 existing vulnerabilities detected
Reason
30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 29 contributing companies or organizations
Details
- Info: found contributions from: AfricaHackTrip, apple @semantic-release, conc-at, cucumber, dsmjs, dsmwebcollective, form8ion, go-semantic-release, greenkeeper-keeper, greenkeeperio, hearts, hoodiehq, interloom, johndeere, noBackend, nock, nodeschool, octoherd, octokit @octoherd @probot @nock @semantic-release @aontributors, opinionated-digital-center, probot, prosperity-solutions, repository-settings, robinhood, semantic-release, traverson, travi-org, travi-test, xebia
Reason
SAST tool is not run on all commits -- score normalized to 9
Details
- Warn: 27 commits out of 30 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 4
Details
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:28
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:46
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:65
- Info: 9 out of 9 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
8.8
/10
Last Scanned on 2025-07-12T21:47:57Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More