Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@colbyfayock/semantic-release-pnpm
Advanced tools
pnpm semantic-release plugin to publish a npm package
semantic-release plugin to publish a npm package with pnpm.
Step | Description |
---|---|
verifyConditions | Verify the presence of the NPM_TOKEN environment variable, or an .npmrc file, and verify the authentication method is valid. |
prepare | Update the package.json version and create the npm package tarball. |
addChannel | Add a release to a dist-tag. |
publish | Publish the npm package to the registry. |
$ npm install semantic-release-pnpm -D
The plugin can be configured in the semantic-release configuration file:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"semantic-release-pnpm",
]
}
The npm authentication configuration is required and can be set via environment variables.
Both the token and the legacy (username
, password
and email
) authentication are supported. It is recommended to use the token authentication. The legacy authentication is supported as the alternative npm registries Artifactory and npm-registry-couchapp only supports that form of authentication.
Notes:
auth-only
level of npm two-factor authentication is supported, semantic-release will not work with the default auth-and-writes
level..npmrc
file will override any specified environment variables.Variable | Description |
---|---|
NPM_TOKEN | Npm token created via npm token create |
NPM_USERNAME | Npm username created via npm adduser or on npmjs.com |
NPM_PASSWORD | Password of the npm user. |
NPM_EMAIL | Email address associated with the npm user |
NPM_CONFIG_USERCONFIG | Path to non-default .npmrc file |
Use either NPM_TOKEN
for token authentication or NPM_USERNAME
, NPM_PASSWORD
and NPM_EMAIL
for legacy authentication
Options | Description | Default |
---|---|---|
npmPublish | Whether to publish the npm package to the registry. If false the package.json version will still be updated. | false if the package.json private property is true , true otherwise. |
pkgRoot | Directory path to publish. | . |
tarballDir | Directory path in which to write the package tarball. If false the tarball is not be kept on the file system. | false |
Note: The pkgRoot
directory must contain a package.json
. The version will be updated only in the package.json
and npm-shrinkwrap.json
within the pkgRoot
directory.
Note: If you use a shareable configuration that defines one of these options you can set it to false
in your semantic-release configuration in order to use the default value.
The plugin uses the pnpm
CLI which will read the configuration from .npmrc
. See npm config
for the option list.
The registry
can be configured via the npm environment variable NPM_CONFIG_REGISTRY
and will take precedence over the configuration in .npmrc
.
The registry
and dist-tag
can be configured in the package.json
and will take precedence over the configuration in .npmrc
and NPM_CONFIG_REGISTRY
:
{
"publishConfig": {
"registry": "https://registry.npmjs.org/",
"tag": "latest"
}
}
The npmPublish
and tarballDir
option can be used to skip the publishing to the npm
registry and instead, release the package tarball with another plugin. For example with the @semantic-release/github plugin:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
["semantic-release-pnpm", {
"npmPublish": false,
"tarballDir": "dist",
}],
["@semantic-release/github", {
"assets": "dist/*.tgz"
}]
]
}
When publishing from a sub-directory with the pkgRoot
option, the package.json
and npm-shrinkwrap.json
updated with the new version can be moved to another directory with a postversion
. For example with the @semantic-release/git plugin:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
["semantic-release-pnpm", {
"pkgRoot": "dist",
}],
["@semantic-release/git", {
"assets": ["package.json", "npm-shrinkwrap.json"]
}]
]
}
{
"scripts": {
"postversion": "cp -r package.json .. && cp -r npm-shrinkwrap.json .."
}
}
FAQs
pnpm semantic-release plugin to publish a npm package
The npm package @colbyfayock/semantic-release-pnpm receives a total of 426 weekly downloads. As such, @colbyfayock/semantic-release-pnpm popularity was classified as not popular.
We found that @colbyfayock/semantic-release-pnpm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.