semantic-release - npm Package Compare versions

Comparing version 25.0.2 to 25.0.3

docs/recipes/ci-configurations/github-actions.md

@@ -24,2 +24,23 @@ # Using semantic-release with [GitHub Actions](https://help.github.com/en/categories/automating-your-workflow-with-github-actions)
 
+## Important: Avoid `registry-url` in `setup-node`
+
+**Do not** set the `registry-url` option in the `actions/setup-node` step when using semantic-release for npm publishing. The `registry-url` option causes `setup-node` to create an `.npmrc` file that can conflict with semantic-release's npm authentication mechanism, leading to `EINVALIDNPMTOKEN` errors even when your token is valid.
+
+```yaml
+# ❌ Don't do this - can cause conflicts with semantic-release
+- name: Setup Node.js
+  uses: actions/setup-node@v4
+  with:
+    node-version: "lts/*"
+    registry-url: "https://registry.npmjs.org"
+
+# ✅ Do this instead - let semantic-release handle npm authentication
+- name: Setup Node.js
+  uses: actions/setup-node@v4
+  with:
+    node-version: "lts/*"
+```
+
+If you need to specify a custom registry, configure it in your project's `.npmrc` file instead. This ensures consistent behavior between local development and CI environments, and avoids conflicts with semantic-release.
+
 ## Node project configuration
@@ -26,0 +47,0 @@

lib/branches/normalize.js

 import { isNil, sortBy } from "lodash-es";
-import semverDiff from "semver-diff";
 import { FIRST_RELEASE, RELEASE_TYPE } from "../definitions/constants.js";
@@ -10,2 +9,3 @@ import {
   getUpperBound,
+  getVersionDiff,
   highest,
@@ -46,3 +46,3 @@ isMajorRange,
     const max = lowest(base, getUpperBound(range));
-    const diff = semverDiff(min, max);
+    const diff = getVersionDiff(min, max);
     return {
@@ -80,3 +80,3 @@ ...rest,
 
-    const diff = bound ? semverDiff(lastVersion, bound) : null;
+    const diff = bound ? getVersionDiff(lastVersion, bound) : null;
     return {
@@ -83,0 +83,0 @@ ...rest,

lib/get-release-to-add.js

 import { intersection, uniqBy } from "lodash-es";
 import semver from "semver";
-import semverDiff from "semver-diff";
 import getLastRelease from "./get-last-release.js";
-import { getLowerBound, makeTag } from "./utils.js";
+import { getLowerBound, getVersionDiff, makeTag } from "./utils.js";
 
@@ -45,3 +44,3 @@ /**
 
-    const type = lastRelease.version ? semverDiff(lastRelease.version, version) : "major";
+    const type = lastRelease.version ? getVersionDiff(lastRelease.version, version) : "major";
     const name = makeTag(tagFormat, version);
@@ -48,0 +47,0 @@ return {

lib/utils.js

@@ -85,2 +85,10 @@ import { template, union } from "lodash-es";
 
+export function getVersionDiff(version1, version2) {
+  if (semver.gte(version1, version2)) {
+    return undefined;
+  }
+
+  return semver.diff(version1, version2);
+}
+
 export function extractGitLogTags(tagsString) {
@@ -87,0 +95,0 @@ const regex = /tag: ([^,)]+)/g;

package.json

 {
   "name": "semantic-release",
   "description": "Automated semver compliant package publishing",
-  "version": "25.0.2",
+  "version": "25.0.3",
   "type": "module",
@@ -56,3 +56,2 @@ "author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
     "semver": "^7.3.2",
-    "semver-diff": "^5.0.0",
     "signale": "^1.2.1",
@@ -62,3 +61,3 @@ "yargs": "^18.0.0"
   "devDependencies": {
-    "@types/node": "24.10.0",
+    "@types/node": "24.10.9",
     "@types/signale": "1.4.7",
@@ -71,16 +70,16 @@ "ava": "6.4.1",
     "file-url": "4.0.0",
-    "fs-extra": "11.3.2",
-    "got": "14.6.2",
-    "js-yaml": "4.1.0",
-    "lockfile-lint": "4.14.1",
-    "ls-engines": "0.9.3",
+    "fs-extra": "11.3.3",
+    "got": "14.6.6",
+    "js-yaml": "4.1.1",
+    "lockfile-lint": "5.0.0",
+    "ls-engines": "0.10.0",
     "mockserver-client": "5.15.0",
     "nock": "14.0.10",
     "npm-run-all2": "8.0.4",
-    "p-retry": "7.1.0",
-    "prettier": "3.6.2",
-    "publint": "0.3.15",
-    "sinon": "21.0.0",
+    "p-retry": "7.1.1",
+    "prettier": "3.8.1",
+    "publint": "0.3.17",
+    "sinon": "21.0.1",
     "stream-buffers": "3.0.3",
-    "tempy": "3.1.0",
+    "tempy": "3.1.2",
     "testdouble": "3.20.2"
@@ -169,3 +168,3 @@ },
   },
-  "packageManager": "npm@11.4.2"
+  "packageManager": "npm@11.8.0+sha512.9f5f6c25e5be44629d907a3c482739c614b090a8505057d9685cd273e12c6172e34aa215d2d97bd9a0d8415bb356f7eb6f2b06c1d690b0d2cdcb9f09d7410149"
 }

README.md

@@ -142,3 +142,2 @@ <h1 align="center" style="border-bottom: none;">📦🚀 semantic-release</h1>
 - [Stack Overflow](https://stackoverflow.com/questions/tagged/semantic-release)
-- [Twitter](https://twitter.com/SemanticRelease)
 
@@ -145,0 +144,0 @@ ## Badge

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Fixed alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

298118

0.39%

Dependency count

28

-3.45%

Lines of code

2697

0.19%

Worsened metrics

Number of lines in readme file

168

-0.59%

Dependency changes

• - Removed

  semver-diff@^5.0.0

• - Removed

  semver-diff@5.0.0
  (transitive)