@continuous-auth/semantic-release-npm

v4.0.0

semantic-release plugin to publish a npm package For more information about how to use this package see README

Latest version published 6 months ago

License: MIT

NPM

GitHub

Package Health Score

74 / 100

security
No known security issues
popularity
Small
maintenance
Sustainable
community
Sustainable

Explore Similar Packages

Security

No known security issues

All security vulnerabilities belong to production dependencies of direct and indirect packages.

Security and license risk for significant versions

All Versions

Version				Vulnerabilities	License Risk
4.0.0	\|	10/2023		0 C 0 H 0 M 0 L	0 H 0 M 0 L
3.0.0	\|	09/2022		0 C 0 H 0 M 0 L	0 H 0 M 0 L
2.0.0	\|	07/2019	Popular	0 C 0 H 0 M 0 L	0 H 0 M 0 L
1.0.3	\|	04/2019		0 C 0 H 0 M 0 L	0 H 0 M 0 L

License

MIT

Security Policy

Is your project affected by vulnerabilities?

Scan your projects for vulnerabilities. Fix quickly with automated fixes. Get started with Snyk for free.

Get started free

Popularity

Small

Weekly Downloads (1,875)

GitHub Stars: 230
Forks: 106
Contributors: 30

Direct Usage Popularity

The npm package @continuous-auth/semantic-release-npm receives a total of 1,875 downloads a week. As such, we scored @continuous-auth/semantic-release-npm popularity level to be Small.

Based on project statistics from the GitHub repository for the npm package @continuous-auth/semantic-release-npm, we found that it has been starred 230 times.

Downloads are calculated as moving averages for a period of the last 12 months, excluding weekends and known missing data points.

Community

Sustainable

Readme.md: Yes
Contributing.md: No
Code of Conduct: No
Contributors: 30
Funding: No

With more than 10 contributors for the @continuous-auth/semantic-release-npm repository, this is possibly a sign for a growing and inviting community.

We found a way for you to contribute to the project! Looks like @continuous-auth/semantic-release-npm is missing a Code of Conduct.

Embed Package Health Score Badge

Maintenance

Sustainable

Commit Frequency

Open Issues: 42
Open PR: 10
Last Release: 6 months ago
Last Commit: 1 day ago

Further analysis of the maintenance status of @continuous-auth/semantic-release-npm based on released npm versions cadence, the repository activity, and other data points determined that its maintenance is Sustainable.

We found that @continuous-auth/semantic-release-npm demonstrates a positive version release cadence with at least one new version released in the past 12 months.

As a healthy sign for on-going project maintenance, we found that the GitHub repository had at least 1 pull request or issue interacted with by the community.

Keep your project healthy

Check your package.json

Ensure all the packages you're using are healthy and well-maintained

Snyk Vulnerability Scanner

Get health score & security insights directly in your IDE

Package

Node.js Compatibility: ^18.17 || >=20

Age: 5 years
Dependencies: 14 Direct
Versions: 5
Install Size: 28.9 kB
Dist-tags: 2
# of Files: 16
Maintainers: 1
TS Typings: No

@continuous-auth/semantic-release-npm has more than a single and default latest tag published for the npm package. This means, there may be other tags available for this package, such as next to indicate future releases, or stable to indicate stable releases.

Readme

@continuous-auth/semantic-release-npm

semantic-release plugin to publish a npm package using CFA for 2FA codes.

Step	Description
`verifyConditions`	Verify the presence of the `NPM_TOKEN` environment variable, or an `.npmrc` file, and verify the authentication method is valid.
`prepare`	Update the `package.json` version and create the npm package tarball.
`addChannel`	Add a release to a dist-tag.
`publish`	Publish the npm package to the registry.

Install

$ npm install @continuous-auth/semantic-release-npm -D

Usage

The plugin can be configured in the semantic-release configuration file:

{
  "plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator", "@continuous-auth/semantic-release-npm"]
}

Configuration

npm registry authentication

The npm token authentication configuration is required and can be set via environment variables.

Automation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the auth-and-writes level of 2FA.

npm provenance

If you are publishing to the official registry and your pipeline is on a provider that is supported by npm for provenance, npm can be configured to publish with provenance.

Since semantic-release wraps the npm publish command, configuring provenance is not exposed directly. Instead, provenance can be configured through the other configuration options exposed by npm. Provenance applies specifically to publishing, so our recommendation is to configure under publishConfig within the package.json.

npm provenance on GitHub Actions

For package provenance to be signed on the GitHub Actions CI the following permission is required to be enabled on the job:

permissions:
  id-token: write # to enable use of OIDC for npm provenance

It's worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments, and other features, then more permissions are required to be enabled on this job:

permissions:
  contents: write # to be able to publish a GitHub release
  issues: write # to be able to comment on released issues
  pull-requests: write # to be able to comment on released pull requests
  id-token: write # to enable use of OIDC for npm provenance

Refer to the GitHub Actions recipe for npm package provenance for the full CI job's YAML code example.

Environment variables

Variable	Description
`NPM_TOKEN`	Npm token created via npm token create
`CFA_PROJECT_ID`	Project ID on CFA
`CFA_SECRET`	Secret configured on CFA for this repository

Options

Options	Description	Default
`npmPublish`	Whether to publish the `npm` package to the registry. If `false` the `package.json` version will still be updated.	`false` if the `package.json` private property is `true`, `true` otherwise.
`pkgRoot`	Directory path to publish.	`.`
`tarballDir`	Directory path in which to write the package tarball. If `false` the tarball is not be kept on the file system.	`false`

Note: The pkgRoot directory must contain a package.json. The version will be updated only in the package.json and npm-shrinkwrap.json within the pkgRoot directory.

Note: If you use a shareable configuration that defines one of these options you can set it to false in your semantic-release configuration in order to use the default value.

npm configuration

The plugin uses the npm CLI which will read the configuration from .npmrc. See npm config for the option list.

The registry can be configured via the npm environment variable NPM_CONFIG_REGISTRY and will take precedence over the configuration in .npmrc.

The registry and dist-tag can be configured under publishConfig in the package.json:

{
  "publishConfig": {
    "registry": "https://registry.npmjs.org/",
    "tag": "latest"
  }
}

Notes:

The presence of an .npmrc file will override any specified environment variables.
The presence of registry or dist-tag under publishConfig in the package.json will take precedence over the configuration in .npmrc and NPM_CONFIG_REGISTRY

Examples

The npmPublish and tarballDir option can be used to skip the publishing to the npm registry and instead, release the package tarball with another plugin. For example with the @semantic-release/github plugin:

{
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    [
      "@continuous-auth/semantic-release-npm",
      {
        "npmPublish": false,
        "tarballDir": "dist"
      }
    ],
    [
      "@semantic-release/github",
      {
        "assets": "dist/*.tgz"
      }
    ]
  ]
}

When publishing from a sub-directory with the pkgRoot option, the package.json and npm-shrinkwrap.json updated with the new version can be moved to another directory with a postversion. For example with the @semantic-release/git plugin:

{
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    [
      "@continuous-auth/semantic-release-npm",
      {
        "pkgRoot": "dist"
      }
    ],
    [
      "@semantic-release/git",
      {
        "assets": ["package.json", "npm-shrinkwrap.json"]
      }
    ]
  ]
}

{
  "scripts": {
    "postversion": "cp -r package.json .. && cp -r npm-shrinkwrap.json .."
  }
}

@continuous-auth/semantic-release-npm dependencies

@continuous-auth/client @semantic-release/error aggregate-error execa fs-extra lodash-es nerf-dart normalize-url npm rc read-pkg registry-auth-token semver tempy

@continuous-auth/semantic-release-npm development dependencies

ava c8 codecov dockerode got p-retry prettier semantic-release sinon stream-buffers

FAQs

What is @continuous-auth/semantic-release-npm?

semantic-release plugin to publish a npm package. Visit Snyk Advisor to see a full health score report for @continuous-auth/semantic-release-npm, including popularity, security, maintenance & community analysis.

Is @continuous-auth/semantic-release-npm popular?

The npm package @continuous-auth/semantic-release-npm receives a total of 1,875 weekly downloads. As such, @continuous-auth/semantic-release-npm popularity was classified as small. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is @continuous-auth/semantic-release-npm well maintained?

We found indications that @continuous-auth/semantic-release-npm maintenance is sustainable demonstrating some project activity. We saw a total of 30 open source contributors collaborating on the project. See the full package health analysis to learn more about the package maintenance status.

Is @continuous-auth/semantic-release-npm safe to use?

The npm package @continuous-auth/semantic-release-npm was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 25 April-2024, at 21:49 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP

Package Health Score

Explore Similar Packages

Security and license risk for significant versions

Is your project affected by vulnerabilities?

Weekly Downloads (1,875)

Direct Usage Popularity

Embed Package Health Score Badge

Commit Frequency

Keep your project healthy

Check your package.json

Snyk Vulnerability Scanner

Readme

@continuous-auth/semantic-release-npm

Install

Usage

Configuration

npm registry authentication

npm provenance

npm provenance on GitHub Actions

Environment variables

Options

npm configuration

Examples

@continuous-auth/semantic-release-npm dependencies

@continuous-auth/semantic-release-npm development dependencies

FAQs

What is @continuous-auth/semantic-release-npm?

Is @continuous-auth/semantic-release-npm popular?

Is @continuous-auth/semantic-release-npm well maintained?

Is @continuous-auth/semantic-release-npm safe to use?

Build a secure application checklist

Select a recommended open source package

Scan your app for vulnerabilities

Source Code

Open Source

Container

Config

Fix identified vulnerabilities

Monitor for new issues