Research
Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.
By Kirill Boychenko - Sep 24, 2025
@anolilab/semantic-release-clean-package-json
Advanced tools
@anolilab/semantic-release-clean-package-json
Clean package.json before publish by removing unnecessary properties
anolilab semantic-release-clean-package-json
A semantic-release plugin that cleans and optimizes package.json before publishing by removing unnecessary development and build-time properties
Daniel Bannert's open source work is supported by the community on GitHub Sponsors
Why?
When publishing packages to npm, many properties in package.json are only needed during development and build time, but not in the published package. This plugin automatically removes unnecessary properties while preserving essential ones needed for the package to work correctly in production.
Key benefits:
- Reduces package size by removing development-only properties
- Prevents leaking internal configuration and metadata
- Maintains a clean and focused package.json for end users
- Customizable property preservation through configuration
Install
npm install @anolilab/semantic-release-clean-package-json
yarn add @anolilab/semantic-release-clean-package-json
pnpm add @anolilab/semantic-release-clean-package-json
Usage
The plugin can be configured in the semantic-release configuration file:
[!IMPORTANT] Very important: The plugin must be placed before the
@semantic-release/githubor@semantic-release/gitand before@anolilab/semantic-release-pnpmor@semantic-release/npmplugin otherwise thepackage.jsonwill be cleaned and published into GitHub / Your Git Provider.
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@anolilab/semantic-release-clean-package-json",
"@anolilab/semantic-release-pnpm",
"@semantic-release/github"
]
}
Steps that are used
| Step | Description |
|---|---|
publish | - Creates a backup of the original package.json file - Removes all non-preserved properties from package.json - Keeps properties specified in the default list and custom keep option- Preserves specific npm scripts if they are in the keep list - Writes the cleaned package.json file |
success | - Restores the original package.json from backup - Updates the version number to match the released version - Removes the backup file - Logs success or error messages |
Options
| Options | Description | Default |
|---|---|---|
pkgRoot | Directory path to publish. | . |
keep | Property names to keep. | [] |
Note: The pkgRoot directory must contain a package.json. The version will be updated only in the package.json and npm-shrinkwrap.json within the pkgRoot directory.
Note: If you use a shareable configuration that defines one of these options you can set it to false in your semantic-release configuration in order to use the default value.
Examples
The plugin can be configured with custom properties to keep in addition to the default preserved ones:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
[
"@anolilab/semantic-release-clean-package-json",
{
"keep": ["custom field"]
}
],
"@anolilab/semantic-release-pnpm",
"@semantic-release/github"
]
}
Example: Publishing a TypeScript Package
When publishing a TypeScript package, you might want to keep TypeScript-specific fields:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
[
"@anolilab/semantic-release-clean-package-json",
{
// This are the default values, just a example
"keep": ["types", "typings", "typesVersions", "module"],
},
],
"@anolilab/semantic-release-pnpm",
"@semantic-release/github",
],
}
Example: Custom Package Root
If your package.json is not in the root directory:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/github",
[
"@anolilab/semantic-release-clean-package-json",
{
"pkgRoot": "dist"
}
],
"@anolilab/semantic-release-pnpm"
]
}
Default preserved properties
By default, these properties are preserved in package.json:
npm
nameversionprivatepublishConfigscripts.preinstallscripts.installscripts.postinstallscripts.dependenciesfilesbinbrowsermainmandependenciespeerDependenciespeerDependenciesMetabundledDependenciesoptionalDependenciesenginesoscpudescriptionkeywordsauthorcontributorslicensehomepagerepositorybugsfunding
CDNs
Node.js
typeexportsimports
VSCode Extension Manifest
publisherdisplayNamecategoriesgalleryBannerpreviewcontributesactivationEventsbadgesmarkdownqnasponsorextensionPackextensionDependenciesextensionKindicon
Angular Package Format
fesm2020fesm2015esm2020es2020
TypeScript
typestypingstypesVersions
Bundlers (Webpack, Rollup, esbuild)
Supported Node.js Versions
Libraries in this ecosystem make the best effort to track Node.js’ release schedule. Here’s a post on why we think this is important.
Contributing
If you would like to help take a look at the list of issues and check our Contributing guidelines.
Note: please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Credits
License
The anolilab semantic-release-clean-package-json is open-sourced software licensed under the MIT
FAQs
Clean package.json before publish by removing unnecessary properties
The npm package @anolilab/semantic-release-clean-package-json receives a total of 792 weekly downloads. As such, @anolilab/semantic-release-clean-package-json popularity was classified as not popular.
We found that @anolilab/semantic-release-clean-package-json demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 22 Sep 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025