Product
Introducing Webhook Events for Alert Changes
Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.
By Phil Gates-Idem -  Nov 21, 2025
🚀 DAY 5 OF LAUNCH WEEK:Introducing Webhook Events for Alert Changes.Learn more →
@continous-auth/semantic-release-npm
Advanced tools
@continous-auth/semantic-release-npm
semantic-release plugin to publish a npm package
@continous-auth/semantic-release-npm
semantic-release plugin to publish a npm package using CFA for 2FA codes.
| Step | Description |
|---|---|
verifyConditions | Verify the presence of the NPM_TOKEN environment variable, create or update the .npmrc file with the token and verify the token is valid. |
prepare | Update the package.json version and create the npm package tarball. |
publish | Publish the npm package to the registry. |
Install
$ npm install @continous-auth/semantic-release-npm -D
Usage
The plugin can be configured in the semantic-release configuration file:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@continous-auth/semantic-release-npm",
]
}
Configuration
Npm registry authentication
The npm authentication configuration is required and can be set via environment variables.
Both the token and the legacy (username, password and email) authentication are supported. It is recommended to use the token authentication. The legacy authentication is supported as the alternative npm registries Artifactory and npm-registry-couchapp only supports that form of authentication.
Note: Only the auth-only level of npm two-factor authentication is supported, semantic-release will not work with the default auth-and-writes level.
Environment variables
| Variable | Description |
|---|---|
NPM_TOKEN | Npm token created via npm token create |
NPM_USERNAME | Npm username created via npm adduser or on npmjs.com |
NPM_PASSWORD | Password of the npm user. |
NPM_EMAIL | Email address associated with the npm user |
CFA_HOST | Host for CFA |
CFA_SECRET | Secret configured on CFA for this repository |
Use either NPM_TOKEN for token authentication or NPM_USERNAME, NPM_PASSWORD and NPM_EMAIL for legacy authentication
Options
| Options | Description | Default |
|---|---|---|
npmPublish | Whether to publish the npm package to the registry. If false the package.json version will still be updated. | false if the package.json private property is true, true otherwise. |
pkgRoot | Directory path to publish. | . |
tarballDir | Directory path in which to write the the package tarball. If false the tarball is not be kept on the file system. | false |
Note: The pkgRoot directory must contains a package.json. The version will be updated only in the package.json and npm-shrinkwrap.json within the pkgRoot directory.
Note: If you use a shareable configuration that defines one of these options you can set it to false in your semantic-release configuration in order to use the default value.
Npm configuration
The plugin uses the npm CLI which will read the configuration from .npmrc. See npm config for the option list.
The registry and dist-tag can be configured in the package.json and will take precedence over the configuration in .npmrc:
{
"publishConfig": {
"registry": "https://registry.npmjs.org/",
"tag": "latest"
}
}
Examples
The npmPublish and tarballDir option can be used to skip the publishing to the npm registry and instead, release the package tarball with another plugin. For example with the @semantic-release/github plugin:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
["@continous-auth/semantic-release-npm", {
"npmPublish": false,
"tarballDir": "dist",
}],
["@semantic-release/github", {
"assets": "dist/*.tgz"
}]
]
}
When publishing from a sub-directory with the pkgRoot option, the package.json and npm-shrinkwrap.json updated with the new version can be moved to another directory with a postpublish npm script. For example with the @semantic-release/git plugin:
{
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
["@continous-auth/semantic-release-npm", {
"pkgRoot": "dist",
}],
["@semantic-release/git", {
"assets": ["package.json", "npm-shrinkwrap.json"]
}]
]
}
{
"scripts": {
"postpublish": "cp -r dist/package.json . && cp -r dist/npm-shrinkwrap.json ."
}
}
FAQs
semantic-release plugin to publish a npm package
We found that @continous-auth/semantic-release-npm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 02 Mar 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ENISA Becomes a CVE Root, Expanding Its Role in Europe’s Vulnerability Ecosystem
ENISA has become a CVE Program Root, giving the EU a central authority for coordinating vulnerability reporting, disclosure, and cross-border response.
By Sarah Gooding -  Nov 21, 2025
Product
Introducing Socket Scanning for OpenVSX Extensions
Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools.
By Mix Irving, Ryan Eberhardt -  Nov 20, 2025