@salesforce/plugin-release-management
Advanced tools
A plugin for preparing and publishing npm packages
Plugin designed to handle all tasks related to signing, releasing, and testing npm packages.
The following steps are automated for package releases
We use standard-version to determine the next version that will be published. This means that all commits must adhere to the conventional commits specification in order for standard-version to work.
In the case that you have manually bumped the version in the package.json, then the plugin will respect that and publish that version instead of using standard-version to determine the next version.
NOTE: We consider the chore, style, docs, ci, test commit types to be "non-releasable", meaning that if all the commits are of those types then we do not publish a new version. However, if you've manually bumped the version in the package.json then the plugin will publish that version regardless of the commit types.
standard-version automatically handles this for us as well. Again you must adhere to the conventional commits specification in order for the changelog generation to work.
After determining the next version, the plugin builds the package using yarn build. This means that you must have a build script included in the package.json
If you pass the --sign (-s) flag into the release command, then the plugin will sign the package and verify that the signature exists in S3.
Once the package has been built and signed it will be published to npm. The command will not exit until the new version is found on the npm registry.
sfdx plugins:install release-management@x.y.z
Please report any issues at https://github.com/forcedotcom/cli/issues
External contributors will be required to sign a Contributor's License Agreement. You can do so by going to https://cla.salesforce.com/sign-cla.
To build the plugin locally, make sure to have yarn installed and run the following commands:
# Clone the repository
git clone git@github.com:salesforcecli/plugin-release-management
# Install the dependencies and compile
yarn install
yarn build
To use your plugin, run using the local ./bin/run or ./bin/run.cmd file.
# Run using local run file.
./bin/run npm
There should be no differences when running via the Salesforce CLI or using the local run file. However, it can be useful to link the plugin to do some additional testing or run your commands from anywhere on your machine.
# Link your plugin to the sfdx cli
sfdx plugins:link .
# To verify
sfdx plugins
sfdx circleci [-t plugin|library|orb] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx circleci:envvar:update -e <string> [-s <string>] [--dryrun] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx npm:dependencies:pin [-d] [-t <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx npm:lerna:release [-d] [-s <array>] [-t <string>] [-a <string>] [--install] [--githubrelease] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx npm:package:release [-d] [-s] [-t <string>] [-a <string>] [--install] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdxsfdx trust:fingerprint -p <string> [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx trust:sign -s <string> -p <string> -k <string> [-t <string> | --tarpath <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx trust:upload -f <string> -b <string> [-k <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx typescript:update [-v <string>] [-t <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx circleci [-t plugin|library|orb] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]list known Circle CI slugs from 'sfdx repositories'
USAGE
$ sfdx circleci [-t plugin|library|orb] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-t, --contains-package-type=(plugin|library|orb) filter based on type of package
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
EXAMPLE
sfdx circleci -t plugin
See code: src/commands/circleci/index.ts
sfdx circleci:envvar:update -e <string> [-s <string>] [--dryrun] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]update environment variable(s) on Circle CI slug(s)
USAGE
$ sfdx circleci:envvar:update -e <string> [-s <string>] [--dryrun] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-e, --envvar=envvar (required) a environment variables
to set on the given circle slug(s)
-s, --slug=slug a circle ci slugs in the format
<vcs>/<org name>/<repo name>
--dryrun do validation but do not update the
environment variable values
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
DESCRIPTION
Updates one or more environment variables on one or more CIrcle CI slugs. The environment variables must already exist
on the slug. You will be prompted for the environment variable values unless they already exist on the process. The
slugs can be piped in. If so, the environment variables must be on the process (prompting is disabled).
EXAMPLES
sfdx circleci:envvar:update -e 'MY_ENV_VAR' -s 'gh/<org>/<repository>'
echo "gh/<org>/<repository>" | sfdx circleci:envvar:update -e 'MY_ENV_VAR'
sfdx circleci -t plugin | sfdx circleci:envvar:update -e 'MY_ENV_VAR' -e 'MY_OTHER_ENV_VAR'
See code: src/commands/circleci/envvar/update.ts
sfdx npm:dependencies:pin [-d] [-t <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]lock a list of dependencies to a target tag or default to 'latest', place these entries in 'pinnedDependencies' entry in the package.json
USAGE
$ sfdx npm:dependencies:pin [-d] [-t <string>] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-d, --dryrun If true, will not make any changes
to the package.json
-t, --tag=tag [default: latest] The name of the
tag you want, e.g. 'latest-rc', or
'latest'
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/npm/dependencies/pin.ts
sfdx npm:lerna:release [-d] [-s <array>] [-t <string>] [-a <string>] [--install] [--githubrelease] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]publish npm packages from a lerna repository
USAGE
$ sfdx npm:lerna:release [-d] [-s <array>] [-t <string>] [-a <string>] [--install] [--githubrelease] [--json]
[--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-a, --npmaccess=npmaccess [default: public] access level to
use when publishing to npm
-d, --dryrun if true, will not commit changes to
repo or push any tags
-s, --sign=sign list of packages to be signed
-t, --npmtag=npmtag [default: latest] tag to use when
publishing to npm
--githubrelease create release in github based on
the package changes
--[no-]install run yarn install and build on
repository
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/npm/lerna/release.ts
sfdx npm:package:release [-d] [-s] [-t <string>] [-a <string>] [--install] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]publish npm package
USAGE
$ sfdx npm:package:release [-d] [-s] [-t <string>] [-a <string>] [--install] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-a, --npmaccess=npmaccess [default: public] access level to
use when publishing to npm
-d, --dryrun If true, will not commit changes to
repo or push any tags
-s, --sign If true, then the package will be
signed and the signature will be
uploaded to S3
-t, --npmtag=npmtag [default: latest] tag to use when
publishing to npm
--[no-]install run yarn install and build on
repository
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/npm/package/release.ts
sfdxlist repositories owned and supported by Salesforce CLI
USAGE
$ sfdx repositories
OPTIONS
-x, --extended show extra columns
--columns=columns only show provided columns
(comma-separated)
--csv output is csv format [alias:
--output=csv]
--filter=filter filter property by partial string
matching, ex: name=foo
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
--no-header hide table header from output
--no-truncate do not truncate output to fit screen
--output=csv|json|yaml output in a more machine friendly
format
--sort=sort property to sort by (prepend '-' for
descending)
DESCRIPTION
For more information on the list of repositories, visit https://github.com/salesforcecli/status.
EXAMPLES
sfdx repositories --columns=url --filter='Name=sfdx-core' --no-header | xargs open
sfdx repositories --json | jq -r '.result[] | select(.name=="sfdx-core") | .packages[] | .url
See code: src/commands/repositories/index.ts
sfdx trust:fingerprint -p <string> [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]get the SHA1 fingerprint for the provided url
USAGE
$ sfdx trust:fingerprint -p <string> [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-p, --publickeyurl=publickeyurl (required) the url where the public
key/certificate will be hosted.
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/trust/fingerprint.ts
sfdx trust:sign -s <string> -p <string> -k <string> [-t <string> | --tarpath <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]pack an npm package and produce a tgz file along with a corresponding digital signature
USAGE
$ sfdx trust:sign -s <string> -p <string> -k <string> [-t <string> | --tarpath <string>] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-k, --privatekeypath=privatekeypath
(required) the local file path for the private key.
-p, --publickeyurl=publickeyurl
(required) the url where the public key/certificate will be hosted.
-s, --signatureurl=signatureurl
(required) the url location where the signature will be hosted minus the name of the actual signature file.
-t, --target=target
the package path you want to target for signing. Helpful for signing individual packages within a multipackage
project (e.g. lerna). Defaults to the current working directory.
--json
format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)
[default: warn] logging level for this command invocation
--tarpath=tarpath
specify the package tgz path to sign instead of generating one from the target package
See code: src/commands/trust/sign.ts
sfdx trust:upload -f <string> -b <string> [-k <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]upload signature to S3. Requires AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID to be set in the environment
USAGE
$ sfdx trust:upload -f <string> -b <string> [-k <string>] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-b, --bucket=bucket (required) name of S3 bucket
-f, --signature=signature (required) path to .sig file you
want to upload to S3
-k, --keyprefix=keyprefix prefix to add to S3 key
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/trust/upload.ts
sfdx typescript:update [-v <string>] [-t <string>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]Runs tests with updated typescript version and ES target
USAGE
$ sfdx typescript:update [-v <string>] [-t <string>] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-t, --target=target [default: ESNext] Specify the ES
target you'd like to use. Defaults
to ESNext if not specified
-v, --version=version Specify the typescript version you'd
like to update to. Defaults to
latest if not specified
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: src/commands/typescript/update.ts
FAQs
A plugin for preparing and publishing npm packages
The npm package @salesforce/plugin-release-management receives a total of 15,428 weekly downloads. As such, @salesforce/plugin-release-management popularity was classified as popular.
We found that @salesforce/plugin-release-management demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 47 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI package ‘set-utils’ steals Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC.
Research
Security News
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.