
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
git-semver-tagger
Advanced tools
 
An opinionated program for automatic semantic versioning via git tags and information in commits.
You can install the tool using any NPM-like system.
npm i -D git-semver-tagger # this will install it into a project as a dev dependency
npx tagger calculate-version # You can use npx to run a project's programs easily
npm i -g git-semver-tagger # this will install it globally into npm
tagger calculate-version # Now it should be available via NPM's path on your shell.
The calculate-version command will generate a new version number based on all of the commits since the last tag, and output as a string.
Basic usage:
tagger calculate-version
Output: 1.2.3-SNAPSHOT
The tag command will create a tag with the given version and push it back to the repository.
We recommend this command only is run after the build is validated. Use discernment to decide if it should happen before publication of artifacts, or afterward.
Basic usage:
tagger tag --version 1.2.3 --release-branch main
For complete option documentation and automation guidance, run tagger calculate-version --help or tagger tag --help.
Tagger supports a .tagger JSON configuration file at your repository root to eliminate repetitive command-line options.
Generate a template with default values:
tagger generate-settings-file --file
This creates .tagger in the current directory. Edit it to customize behavior.
(--file='' is also supported for backward compatibility.)
Print to stdout without creating file:
tagger generate-settings-file
Merge new defaults into existing file:
tagger generate-settings-file --file --merge
The .tagger file supports these fields:
{
"releaseBranch": "main",
"implicitPatch": true,
"disableDetached": true,
"allowDetachedHead": false,
"forceSnapshot": false,
"majorRegex": "\\[major\\]",
"minorRegex": "\\[minor\\]|\\[feature\\]",
"patchRegex": "\\[patch\\]|\\[fix\\]|\\[bug\\]",
"noneRegex": "\\[none\\]",
"versionRegex": null,
"userName": null,
"userEmail": null,
"warningsAsErrors": false
}
Field descriptions:
releaseBranch: Branch name for release versions (other branches get -SNAPSHOT)implicitPatch: Auto-bump patch version when no version-tagged commits exist (default: true)allowDetachedHead: Allow version calculation in detached HEAD state (default: false)forceSnapshot: Always add -SNAPSHOT suffix regardless of conditions (default: false)majorRegex: Pattern to detect major version bumps in commit messagesminorRegex: Pattern to detect minor version bumpspatchRegex: Pattern to detect patch version bumpsnoneRegex: Pattern to detect commits that don't affect versionversionRegex: Unified regex with named groups (major, minor, patch, none). Overrides individual regex patterns if set.userName: Git user name for creating tags (defaults to git config)userEmail: Git user email for creating tags (defaults to git config)warningsAsErrors: Treat warnings as errors (exit non-zero) (default: false)Note: Command-line options always override .tagger file settings.
Minimal config for standard workflow:
{
"releaseBranch": "main"
}
Then use simplified commands:
tagger calculate-version # no --release-branch needed
tagger tag --version 1.2.3 # no --release-branch needed
Custom regex patterns for your commit convention:
{
"releaseBranch": "production",
"majorRegex": "\\bBREAKING[: ]",
"minorRegex": "\\bfeat[:(]",
"patchRegex": "\\bfix[:(]"
}
Both commands support machine-readable JSON output for CI/CD pipelines and automation scripts via the --format flag.
--format=text (default): Human-readable text output--format=json: Structured JSON outputExample command:
tagger calculate-version --format=json
Success response:
{
"status": "success",
"data": {
"version": "1.2.3-SNAPSHOT",
"snapshot": true,
"snapshotReasons": [
"DIRTY",
"AHEAD"
]
}
}
Error response:
{
"status": "error",
"error": "HEAD is detached (not pointing at any branch)",
"code": "CONFIGURATION_ERROR"
}
Example command:
tagger tag --version 1.2.3 --release-branch main --format=json
Success response:
{
"status": "success",
"data": {
"tag": "1.2.3"
}
}
Error response:
{
"status": "error",
"error": "Failed to create tag",
"code": "TAG_ERROR"
}
Extract version in GitHub Actions:
- name: Calculate version
id: version
run: |
VERSION=$(tagger calculate-version --format=json | jq -r '.data.version')
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Use version
run: echo "Building version ${{ steps.version.outputs.version }}"
Extract version in bash:
# Get version
VERSION=$(tagger calculate-version --format=json 2>/dev/null | jq -r '.data.version')
# Check if snapshot
IS_SNAPSHOT=$(tagger calculate-version --format=json 2>/dev/null | jq -r '.data.snapshot')
if [ "$IS_SNAPSHOT" = "true" ]; then
echo "This is a snapshot build"
fi
Error handling:
OUTPUT=$(tagger calculate-version --format=json 2>&1)
STATUS=$(echo "$OUTPUT" | jq -r '.status')
if [ "$STATUS" = "error" ]; then
ERROR_MSG=$(echo "$OUTPUT" | jq -r '.error')
ERROR_CODE=$(echo "$OUTPUT" | jq -r '.code')
echo "Error ($ERROR_CODE): $ERROR_MSG"
exit 1
fi
Error: found N tag(s) (...) but it is/they are lightweight.
Cause: Tagger requires annotated tags (created with git tag -a) because they store metadata like tagger name, email, and timestamp. Lightweight tags (created with git tag <name>) don't include this information.
Solution: Recreate the tag(s) as annotated tags. The error message will provide exact commands, for example:
git tag -d 1.0.0
git tag -a 1.0.0 <sha> -m "1.0.0"
git push --force origin 1.0.0
Replace <sha> with the commit hash where the tag should point (often the same commit the lightweight tag pointed to).
Error: Command failed: git push --tags (exit code 128) or exit code 403
Common causes:
Solutions:
For Azure DevOps:
<Project Name> Build Service)Contribute and Create tag permissions- checkout: self
persistCredentials: true
For GitHub Actions:
jobs:
build:
permissions:
contents: write # Required for pushing tags
GITHUB_TOKENFor GitLab CI:
variables:
GIT_STRATEGY: clone
before_script:
- git config --global user.email "ci@example.com"
- git config --global user.name "CI Bot"
Error: repository has no tags.
Cause: This is a new repository or no tags have been created yet.
Solution: Create an initial tag manually to establish the version baseline:
git tag -a 0.1.0 -m "Initial version"
git push origin 0.1.0
After this, tagger can calculate subsequent versions automatically.
For detailed option documentation, snapshot reason explanations, and structured output field definitions, use the built-in help:
tagger --help
tagger calculate-version --help
tagger tag --help
FAQs
 
The npm package git-semver-tagger receives a total of 262 weekly downloads. As such, git-semver-tagger popularity was classified as not popular.
We found that git-semver-tagger demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.