Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
@juice-js/semantic-release-npm
Advanced tools
@juice-js/semantic-release-npm
semantic-release plugin to publish a npm package with latest version from git tag and commit message
@juice-js/semantic-release-npm
Use this step with semantic-release together to publish multiple npm packages in the same repo (mono-repo).
| Step | Description |
|---|---|
verifyConditions | Verify the presence of the NPM_TOKEN environment variable, or an .npmrc file, and verify the authentication method is valid. |
getLastRelease | Read last tagged release to use the same version |
prepare | Update the package.json version and create the npm package tarball. |
addChannel | Add a release to a dist-tag. |
publish | Publish the npm package to the registry. |
Install
$ npm install @juice-js/semantic-release-npm -D
Usage
Add more steps to publish your next packages after run semantic-release for your first package in the same repo.
steps:
- uses: actions/checkout@v3
# Setup .npmrc file to publish to GitHub Packages
- uses: actions/setup-node@v3
with:
node-version: '18.x'
- run: npm ci
- run: npm run build @juice-js/dict-builder --if-present
- run: npm run build @juice-js/tenants --if-present
- run: npm test -- --watch=false --browsers=ChromeHeadless
# Use semantic-release to publish dist package to npmjs
# After this step, new tag will be created on github repo.
- run: npx semantic-release --plugins=@semantic-release/commit-analyzer,@semantic-release/release-notes-generator,@semantic-release/npm --pkgRoot=./dist/juice-js/dict-builder
# Use github tag on the last step to change dependencies version
# and publish package with the same version to npmjs
- run: npx @juice-js/semantic-release-npm --pkgRoot=./dist/juice-js/tenants --localPackages=@juice-js/dict-builder --debug
Configuration
npm registry authentication
The npm token authentication configuration is required and can be set via environment variables.
Automation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the auth-and-writes level of 2FA.
npm provenance
If you are publishing to the official registry and your pipeline is on a provider that is supported by npm for provenance, npm can be configured to publish with provenance.
Since semantic-release wraps the npm publish command, configuring provenance is not exposed directly.
Instead, provenance can be configured through the other configuration options exposed by npm.
Provenance applies specifically to publishing, so our recommendation is to configure under publishConfig within the package.json.
npm provenance on GitHub Actions
For package provenance to be signed on the GitHub Actions CI the following permission is required to be enabled on the job:
permissions:
id-token: write # to enable use of OIDC for npm provenance
It's worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments, and other features, then more permissions are required to be enabled on this job:
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # to enable use of OIDC for npm provenance
Refer to the GitHub Actions recipe for npm package provenance for the full CI job's YAML code example.
Environment variables
| Variable | Description |
|---|---|
NPM_TOKEN | Npm token created via npm token create |
Options
| Options | Description | Default |
|---|---|---|
npmPublish | Whether to publish the npm package to the registry. If false the package.json version will still be updated. | false if the package.json private property is true, true otherwise. |
pkgRoot | Directory path to publish. | . |
localPackages | Specify your referenced packages in the same repo to replace its version in package.json | [] |
Note: The pkgRoot directory must contain a package.json. The version will be updated only in the package.json and npm-shrinkwrap.json within the pkgRoot directory.
Note: If you use a shareable configuration that defines one of these options you can set it to false in your semantic-release configuration in order to use the default value.
npm configuration
The plugin uses the npm CLI which will read the configuration from .npmrc. See npm config for the option list.
The registry can be configured via the npm environment variable NPM_CONFIG_REGISTRY and will take precedence over the configuration in .npmrc.
Notes:
- The presence of an
.npmrcfile will override any specified environment variables. - The presence of
registryordist-tagunderpublishConfigin thepackage.jsonwill take precedence over the configuration in.npmrcandNPM_CONFIG_REGISTRY
FAQs
semantic-release plugin to publish a npm package with latest version from git tag and commit message
We found that @juice-js/semantic-release-npm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 04 Jan 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025