Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
release-please
Advanced tools
release-please is an automated release tool for GitHub repositories. It automates the process of generating release notes, creating GitHub releases, and versioning based on conventional commits. This helps maintainers streamline their release process and ensure consistency.
Automated Release Notes
This feature allows you to automatically generate release notes based on the commits in your repository. The code sample demonstrates how to create a GitHub release with release notes.
const { GitHubRelease } = require('release-please');
const githubRelease = new GitHubRelease({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
githubRelease.createRelease();
Version Bumping
This feature automates the process of bumping the version of your package based on the commits. The code sample shows how to bump the version of your package.
const { Version } = require('release-please');
const version = new Version({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
version.bumpVersion();
Changelog Generation
This feature generates a changelog file based on the commits in your repository. The code sample demonstrates how to generate a changelog.
const { Changelog } = require('release-please');
const changelog = new Changelog({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
changelog.generateChangelog();
semantic-release automates the versioning and package publishing process based on the commit messages. It is highly configurable and integrates with various CI/CD pipelines. Compared to release-please, semantic-release offers more plugins and customization options.
standard-version is a tool for versioning and changelog generation based on conventional commits. It is simpler and more lightweight compared to release-please, making it suitable for smaller projects or those with simpler release requirements.
lerna is a tool for managing JavaScript projects with multiple packages. It can also handle versioning and changelog generation. While it offers more features for monorepos, it may be overkill for single-package repositories compared to release-please.
Release Please automates CHANGELOG generation, the creation of GitHub releases, and version bumps for your projects.
It does so by parsing your git history, looking for Conventional Commit messages, and creating release PRs.
Rather than continuously releasing what's landed to your default branch, release-please maintains Release PRs:
These Release PRs are kept up-to-date as additional work is merged. When you're ready to tag a release, simply merge the release PR. Both squash-merge and merge commits work with Release PRs.
When the Release PR is merged, release-please takes the following steps:
CHANGELOG.md
), along with other language specific files (for example package.json
).You can tell where the Release PR is in its lifecycle by the status label on the PR itself:
autorelease: pending
is the initial state of the Release PR before it is mergedautorelease: tagged
means that the Release PR has been merged and the release has been tagged in GitHubautorelease: snapshot
is a special state for snapshot version bumpsautorelease: published
means that a GitHub release has been published based on the Release PR (release-please does not automatically add this tag, but we recommend it as a convention for publication tooling).Release Please assumes you are using Conventional Commit messages.
The most important prefixes you should have in mind are:
fix:
which represents bug fixes, and correlates to a SemVer
patch.feat:
which represents a new feature, and correlates to a SemVer minor.feat!:
, or fix!:
, refactor!:
, etc., which represent a breaking change
(indicated by the !
) and will result in a SemVer major.Release Please allows you to represent multiple changes in a single commit, using footers:
feat: adds v4 UUID to crypto
This adds support for v4 UUIDs to the library.
fix(utils): unicode no longer throws exception
PiperOrigin-RevId: 345559154
BREAKING-CHANGE: encode method no longer throws.
Source-Link: googleapis/googleapis@5e0dcb2
feat(utils): update encode to support unicode
PiperOrigin-RevId: 345559182
Source-Link: googleapis/googleapis@e5eef86
The above commit message will contain:
:warning: Important: The additional messages must be added to the bottom of the commit.
When a commit to the main branch has Release-As: x.x.x
(case insensitive) in the commit body, Release Please will open a new pull request for the specified version.
Empty commit example:
git commit --allow-empty -m "chore: release 2.0.0" -m "Release-As: 2.0.0"
results in the following commit message:
chore: release 2.0.0
Release-As: 2.0.0
If you have merged a pull request and would like to amend the commit message used to generate the release notes for that commit, you can edit the body of the merged pull requests and add a section like:
BEGIN_COMMIT_OVERRIDE
feat: add ability to override merged commit message
fix: another message
chore: a third message
END_COMMIT_OVERRIDE
The next time Release Please runs, it will use that override section as the commit message instead of the merged commit message.
Release Please creates a release pull request after it notices the default branch contains "releasable units" since the last release. A releasable unit is a commit to the branch with one of the following prefixes: "feat", "fix", and "deps". (A "chore" or "build" commit is not a releasable unit.)
Some languages have their specific releasable unit configuration. For example, "docs" is a prefix for releasable units in Java and Python.
If you think Release Please missed to create a release PR after a pull request
with with releasable unit has been merged, please re-run release-please
. If you are using
the GitHub application, add release-please:force-run
label to the merged pull request. If
you are using the action, look for the failed invocation and retry the workflow run.
Release Please will process the pull request immediately to find releasable units.
Release Please automates releases for the following flavors of repositories:
There are a variety of ways you can deploy release-please:
The easiest way to run Release Please is as a GitHub action. Please see google-github-actions/release-please-action for installation and configuration instructions.
Please see Running release-please CLI for all the configuration options.
There is a probot application available, which allows you to deploy Release Please as a GitHub App. Please see github.com/googleapis/repo-automation-bots for installation and configuration instructions.
Release Please looks at commits since your last release tag. It may or may not be able to find your previous releases. The easiest way to on-board your repository is to bootstrap a manifest config.
Release Please provides several configuration options to allow customizing your release process. Please see customizing.md for more details.
Release Please also supports releasing multiple artifacts from the same repository. See more at manifest-releaser.md.
Our client libraries follow the Node.js release schedule. Libraries are compatible with all current active and maintenance versions of Node.js.
Client libraries targeting some end-of-life versions of Node.js are available, and
can be installed via npm dist-tags.
The dist-tags follow the naming convention legacy-(version)
.
Legacy Node.js versions are supported as a best effort:
legacy-8
: install client libraries from this dist-tag for versions
compatible with Node.js 8.This library follows Semantic Versioning.
Contributions welcome! See the Contributing Guide.
For more information on the design of the library, see design.
Apache Version 2.0
See LICENSE
FAQs
generate release PRs based on the conventionalcommits.org spec
We found that release-please demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.