semantic-release - npm Package Compare versions

Comparing version 22.0.6 to 22.0.7

lib/get-config.js

@@ -1,4 +0,3 @@
-import { dirname, resolve } from "node:path";
+import { dirname, extname } from "node:path";
 import { fileURLToPath } from "node:url";
-import { createRequire } from "node:module";
 
@@ -17,3 +16,2 @@ import { castArray, isNil, isPlainObject, isString, pickBy } from "lodash-es";
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const require = createRequire(import.meta.url);
 
@@ -39,4 +37,14 @@ const CONFIG_NAME = "release";
         const result = await eventualResult;
-        const extendsOptions = require(resolveFrom.silent(__dirname, extendPath) || resolveFrom(cwd, extendPath));
+        const resolvedPath = resolveFrom.silent(__dirname, extendPath) || resolveFrom(cwd, extendPath);
+        const importAssertions =
+          extname(resolvedPath) === ".json"
+            ? {
+                assert: {
+                  type: "json",
+                },
+              }
+            : undefined;
 
+        const { default: extendsOptions } = await import(resolvedPath, importAssertions);
+
         // For each plugin defined in a shareable config, save in `pluginsPath` the extendable config path,
@@ -43,0 +51,0 @@ // so those plugin will be loaded relative to the config file

package.json

 {
   "name": "semantic-release",
   "description": "Automated semver compliant package publishing",
-  "version": "22.0.6",
+  "version": "22.0.7",
   "type": "module",
@@ -52,3 +52,3 @@ "author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
     "p-reduce": "^3.0.0",
-    "read-pkg-up": "^10.0.0",
+    "read-pkg-up": "^11.0.0",
     "resolve-from": "^5.0.0",
@@ -74,3 +74,3 @@ "semver": "^7.3.2",
     "mockserver-client": "5.15.0",
-    "nock": "13.3.7",
+    "nock": "13.3.8",
     "npm-run-all2": "6.1.1",
@@ -80,3 +80,3 @@ "p-retry": "6.1.0",
     "publint": "0.2.5",
-    "sinon": "17.0.0",
+    "sinon": "17.0.1",
     "stream-buffers": "3.0.2",
@@ -83,0 +83,0 @@ "tempy": "3.1.0",

Fixed alerts

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

283907

0.07%

Lines of code

2628

0.27%

Number of low supply chain risk alerts

4

-20%

Dependency changes

• - Removed

  find-up@6.3.0
  (transitive)

• - Removed

  json-parse-even-better-errors@3.0.2
  (transitive)

• - Removed

  lines-and-columns@2.0.4
  (transitive)

• - Removed

  locate-path@7.2.0
  (transitive)

• - Removed

  p-limit@4.0.0
  (transitive)

• - Removed

  p-locate@6.0.0
  (transitive)

• - Removed

  parse-json@7.1.1
  (transitive)

• - Removed

  path-exists@5.0.0
  (transitive)

• - Removed

  read-pkg@8.1.0
  (transitive)

• - Removed

  read-pkg-up@10.1.0
  (transitive)

• - Removed

  type-fest@3.13.1
  (transitive)

• - Removed

  yocto-queue@1.2.1
  (transitive)

• Updated

  read-pkg-up@^11.0.0