
Security News
Next.js moves to scheduled security releases
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.
versionary
Advanced tools
Automatic release framework based on conventional commits and semantic versioning
Versionary is a software-agnostic automated release tool focused on SemVer, Conventional Commits, release-PR workflows, and extensibility.
📖 Documentation: https://versionary.dev/
Versionary is a practical middle ground between
semantic-release and
release-please:
semantic-release, it supports direct release execution;release-please, it supports a release PR workflow so maintainers
can preview and review changes before publication.It keeps versioning, changelog generation, tagging, and SCM release metadata in one tool, while leaving package publication (npm, crates.io, etc.) to dedicated CI workflows triggered by tags or releases.
It is built to:
Status: early, alpha-stage development. Breaking changes are expected before
1.0.0.
Install:
pnpm add -D versionary # or npm install --save-dev versionary
Add a versionary.jsonc at the repo root:
{
"$schema": "https://raw.githubusercontent.com/jolars/versionary/main/schemas/config.json",
"version": 1,
"release-type": "node"
}
Check it and preview the next release:
npx versionary verify
npx versionary plan
Then automate it in CI—see the Getting started and GitHub Actions guides.
The full documentation lives at https://versionary.dev/:
In scope: semantic version planning from commits, changelog generation, release PR automation, and tags + SCM release metadata (e.g. GitHub Releases).
Out of scope (intentional): publishing artifacts to language registries, replacing package-specific publish tooling, and external/user-provided plugin loading. Use your CI/CD platform for registry publishing, triggered from a created release/tag.
See CONTRIBUTING.md for the development setup, commands, and commit conventions.
Runtime code uses a flat src/ layout with clear module boundaries:
src/cli/: command router (run, verify, plan, changelog, pr, release)src/release/: release orchestration (plan/changelog/PR/release/state/recovery)src/strategy/: strategy contracts, resolver, and built-in implementations
(simple, node, rust, r, latex, python, julia)src/scm/: SCM client contracts and provider implementation(s)src/config/: config loading and schema validationsrc/git/: git commit/range and repository URL helperssrc/types/: shared config/plugin-facing typesConfiguration is loaded from versionary.jsonc by default (or
versionary.json). The config schema lives in src/config/schema.ts; the
editor-facing schemas/config.json is generated via pnpm gen:schema.
New language strategies can be added internally without changing release
orchestration. A new strategy should implement the VersionStrategy contract in
src/strategy/types.ts and be wired in src/strategy/resolve.ts.
Checklist for new strategies:
namegetVersionFile(config) defaults and config override behaviorreadVersion(cwd, config) with explicit malformed-file errorswriteVersion(cwd, config, version) returning deterministic updated
file pathsreadPackageName(cwd, config) so monorepo release tags
can derive from language metadata (similar to Node/Rust/R)propagateDependentPatchImpacts(cwd, packages) if
dependency updates in this ecosystem should trigger dependent package patch
bumpsfinalizeVersionWrites(cwd, writes, context) for
ecosystem post-processing after all target version files are writtentests/strategy-contract.test.tsrelease-type behavior and defaultsYou can install directly from a git ref:
{
"devDependencies": {
"versionary": "github:jolars/versionary#<commit-or-tag>"
}
}
The package runs a prepare build during git installation so the versionary
CLI binary is available after install.
FAQs
Automatic release framework based on conventional commits and semantic versioning
The npm package versionary receives a total of 78 weekly downloads. As such, versionary popularity was classified as not popular.
We found that versionary demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.