
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
git-semver-tagger
Advanced tools
 
An opinionated program for automatic semantic versioning via git tags and information in commits.
You can install the tool using any NPM-like system.
npm i -D git-semver-tagger # this will install it into a project as a dev dependency
npx tagger calculate-version # You can use npx to run a project's programs easily
npm i -g git-semver-tagger # this will install it globally into npm
tagger calculate-version # Now it should be available via NPM's path on your shell.
The calculate-version command will generate a new version number based on all of the commits since the last tag, and output as a string.
Basic usage:
tagger calculate-version
Output: 1.2.3-SNAPSHOT
The tag command will create a tag with the given version and push it back to the repository.
We recommend this command only is run after the build is validated. Use discernment to decide if it should happen before publication of artifacts, or afterward.
Basic usage:
tagger tag --version 1.2.3 --release-branch main
Both commands support machine-readable JSON output for CI/CD pipelines and automation scripts via the --format flag.
--format=text (default): Human-readable text output--format=json: Structured JSON outputExample command:
tagger calculate-version --format=json
Success response:
{
"status": "success",
"data": {
"version": "1.2.3-SNAPSHOT",
"snapshot": true,
"snapshotReasons": [
"DIRTY",
"AHEAD"
]
}
}
Error response:
{
"status": "error",
"error": "HEAD is detached (not pointing at any branch)",
"code": "CONFIGURATION_ERROR"
}
Fields:
status: "success" or "error"data.version: Calculated semantic version stringdata.snapshot: Boolean indicating if this is a snapshot versiondata.snapshotReasons: Array of reasons why this is a snapshot (e.g., "DIRTY", "AHEAD")error: Human-readable error message (only in error responses)code: Machine-readable error code (only in error responses)Example command:
tagger tag --version 1.2.3 --release-branch main --format=json
Success response:
{
"status": "success",
"data": {
"tag": "1.2.3"
}
}
Error response:
{
"status": "error",
"error": "Failed to create tag",
"code": "TAG_ERROR"
}
Fields:
status: "success" or "error"data.tag: The tag name that was createderror: Human-readable error message (only in error responses)code: Machine-readable error code (only in error responses)CONFIGURATION_ERROR: Invalid configuration or repository state (e.g., detached HEAD)TAG_ERROR: Failed to create or push tagExtract version in GitHub Actions:
- name: Calculate version
id: version
run: |
VERSION=$(tagger calculate-version --format=json | jq -r '.data.version')
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Use version
run: echo "Building version ${{ steps.version.outputs.version }}"
Extract version in bash:
# Get version
VERSION=$(tagger calculate-version --format=json 2>/dev/null | jq -r '.data.version')
# Check if snapshot
IS_SNAPSHOT=$(tagger calculate-version --format=json 2>/dev/null | jq -r '.data.snapshot')
if [ "$IS_SNAPSHOT" = "true" ]; then
echo "This is a snapshot build"
fi
Error handling:
OUTPUT=$(tagger calculate-version --format=json 2>&1)
STATUS=$(echo "$OUTPUT" | jq -r '.status')
if [ "$STATUS" = "error" ]; then
ERROR_MSG=$(echo "$OUTPUT" | jq -r '.error')
ERROR_CODE=$(echo "$OUTPUT" | jq -r '.code')
echo "Error ($ERROR_CODE): $ERROR_MSG"
exit 1
fi
Error: found N tag(s) (...) but it is/they are lightweight.
Cause: Tagger requires annotated tags (created with git tag -a) because they store metadata like tagger name, email, and timestamp. Lightweight tags (created with git tag <name>) don't include this information.
Solution: Recreate the tag(s) as annotated tags. The error message will provide exact commands, for example:
git tag -d 1.0.0
git tag -a 1.0.0 <sha> -m "1.0.0"
git push --force origin 1.0.0
Replace <sha> with the commit hash where the tag should point (often the same commit the lightweight tag pointed to).
Error: Command failed: git push --tags (exit code 128) or exit code 403
Common causes:
Solutions:
For Azure DevOps:
<Project Name> Build Service)Contribute and Create tag permissions- checkout: self
persistCredentials: true
For GitHub Actions:
jobs:
build:
permissions:
contents: write # Required for pushing tags
GITHUB_TOKENFor GitLab CI:
variables:
GIT_STRATEGY: clone
before_script:
- git config --global user.email "ci@example.com"
- git config --global user.name "CI Bot"
Error: repository has no tags.
Cause: This is a new repository or no tags have been created yet.
Solution: Create an initial tag manually to establish the version baseline:
git tag -a 0.1.0 -m "Initial version"
git push origin 0.1.0
After this, tagger can calculate subsequent versions automatically.
For a full listing of the available options in the program, please use the built-in help command.
tagger --help
FAQs
 
The npm package git-semver-tagger receives a total of 262 weekly downloads. As such, git-semver-tagger popularity was classified as not popular.
We found that git-semver-tagger demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.