Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
release-please
Advanced tools
generate release PRs based on the conventionalcommits.org spec
release-please is an automated release tool for GitHub repositories. It automates the process of generating release notes, creating GitHub releases, and versioning based on conventional commits. This helps maintainers streamline their release process and ensure consistency.
Automated Release Notes
This feature allows you to automatically generate release notes based on the commits in your repository. The code sample demonstrates how to create a GitHub release with release notes.
const { GitHubRelease } = require('release-please');
const githubRelease = new GitHubRelease({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
githubRelease.createRelease();
Version Bumping
This feature automates the process of bumping the version of your package based on the commits. The code sample shows how to bump the version of your package.
const { Version } = require('release-please');
const version = new Version({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
version.bumpVersion();
Changelog Generation
This feature generates a changelog file based on the commits in your repository. The code sample demonstrates how to generate a changelog.
const { Changelog } = require('release-please');
const changelog = new Changelog({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
changelog.generateChangelog();
semantic-release automates the versioning and package publishing process based on the commit messages. It is highly configurable and integrates with various CI/CD pipelines. Compared to release-please, semantic-release offers more plugins and customization options.
standard-version is a tool for versioning and changelog generation based on conventional commits. It is simpler and more lightweight compared to release-please, making it suitable for smaller projects or those with simpler release requirements.
lerna is a tool for managing JavaScript projects with multiple packages. It can also handle versioning and changelog generation. While it offers more features for monorepos, it may be overkill for single-package repositories compared to release-please.
Release Please automates CHANGELOG generation, the creation of GitHub releases, and version bumps for your projects.
It does so by parsing your git history, looking for Conventional Commit messages, and creating release PRs.
Rather than continuously releasing what's landed to your default branch, release-please maintains Release PRs:
These Release PRs are kept up-to-date as additional work is merged. When you're ready to tag a release, simply merge the release PR.
Release Please assumes you are using Conventional Commit messages.
The most important prefixes you should have in mind are:
fix:
which represents bug fixes, and correlates to a SemVer
patch.feat:
which represents a new feature, and correlates to a SemVer minor.feat!:
, or fix!:
, refactor!:
, etc., which represent a breaking change
(indicated by the !
) and will result in a SemVer major.Release Please automates releases for the following flavors of repositories:
To add a new release type, simply use the existing releasers and updaters as a starting point.
releasers describe the files that should be updated for a release.
updaters describe how to update the version in these files.
There are a variety of ways you can deploy release-please:
The easiest way to run release please is as a GitHub action:
If you haven't already done so, create a .github/workflows
folder in your
repository (this is where your actions will live).
Now create a .github/workflows/release-please.yml
file with these contents:
on:
push:
branches:
- master
name: release-please
jobs:
release-please:
runs-on: ubuntu-latest
steps:
- uses: GoogleCloudPlatform/release-please-action@v1.3.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
release-type: node
package-name: release-please-action
Merge the above action into your repository and make sure new commits follow the Conventional Commits convention, release-please will start creating Release PRs for you.
With a few additions, the Release Please action can be made to publish to npm when a Release PR is merged:
on:
push:
branches:
- master
name: release-please
jobs:
release-please:
runs-on: ubuntu-latest
steps:
- uses: GoogleCloudPlatform/release-please-action@v1.3.0
id: release
with:
token: ${{ secrets.GITHUB_TOKEN }}
release-type: node
package-name: test-release-please
# The logic below handles the npm publication:
- uses: actions/checkout@v2
# these if statements ensure that a publication only occurs when
# a new release is created:
if: ${{ steps.release.outputs.release_created }}
- uses: actions/setup-node@v1
with:
node-version: 12
registry-url: 'https://registry.npmjs.org'
if: ${{ steps.release.outputs.release_created }}
# if you are using Yarn, substitute the command below with `yarn install --frozen-lockfile`
- run: npm ci
if: ${{ steps.release.outputs.release_created }}
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
if: ${{ steps.release.outputs.release_created }}
So that you can keep 2FA enabled for npm publications, we recommend setting
registry-url
to your own Wombat Dressing Room deployment.
Install release-please globally:
npm i release-please -g
release-please release-pr --package-name=@google-cloud/firestore" \
--repo-url=googleapis/nodejs-firestore \
--token=$GITHUB_TOKEN
option | description |
---|---|
--package-name | is the name of the package to publish to publish to an upstream registry such as npm. |
--repo-url | is the URL of the repository on GitHub. |
--token | a token with write access to --repo-url . |
--default-branch | branch to open pull release PR against (detected by default). |
--path | create a release from a path other than the repository's root |
--monorepo-tags | add prefix to tags and branches, allowing multiple libraries to be released from the same repository. |
release-please github-release --repo-url=googleapis/nodejs-firestore \
--token=$GITHUB_TOKEN
option | description |
---|---|
--package-name | is the name of the package to publish to publish to an upstream registry such as npm. |
--repo-url | is the URL of the repository on GitHub. |
--token | a token with write access to --repo-url . |
--path | create a release from a path other than the repository's root |
There is a probot application available, which allows you to deploy Release Please as a GitHub App:
Our client libraries follow the Node.js release schedule. Libraries are compatible with all current active and maintenance versions of Node.js.
Client libraries targeting some end-of-life versions of Node.js are available, and
can be installed via npm dist-tags.
The dist-tags follow the naming convention legacy-(version)
.
Legacy Node.js versions are supported as a best effort:
legacy-8
: install client libraries from this dist-tag for versions
compatible with Node.js 8.This library follows Semantic Versioning.
Contributions welcome! See the Contributing Guide.
Please note that this README.md
, the samples/README.md
,
and a variety of configuration files in this repository (including .nycrc
and tsconfig.json
)
are generated from a central template. To edit one of these files, make an edit
to its template in this
directory.
Apache Version 2.0
See LICENSE
FAQs
generate release PRs based on the conventionalcommits.org spec
The npm package release-please receives a total of 203,486 weekly downloads. As such, release-please popularity was classified as popular.
We found that release-please demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.