revert: restore semantic-release in devDependencies#37
Merged
Conversation
PR #34 (ephemeral install) traded Vulnerabilities 7→10 at the cost of Pinned-Dependencies staying at 9 because `npm install --no-save` is flagged as unpinned. PR #35 (.release/ subpackage with its own lockfile) fixed Pinned-Dependencies 9→10 but osv-scanner then found the bundled brace-expansion/picomatch advisories in the committed `.release/package-lock.json` and Vulnerabilities fell back to 7. Net: both approaches land at ~7.5-7.7 score, and both add architectural noise (ephemeral install vs split tooling tree) that exists solely to dodge `npm audit`. Simpler path: restore semantic-release, @semantic-release/changelog, @semantic-release/git in devDependencies; drop the .release/ subpackage and the Dependabot carve-out for it; revert the release workflow to `npx semantic-release`. We accept Vulnerabilities 7 while npm/cli#9194 lands (npm 11.13.0 bumps the bundled brace-expansion to 5.0.5 and picomatch to 4.0.4; release PR npm/cli#9240 open since 2026-04-15, historical merge-to-publish window 2-9 days). Kept from the earlier scorecard sweep: - Dockerfile multistage build using `npm ci` (Pinned-Dependencies 10) - Branch protection: ruleset requires PR, no admin bypass - fast-check pin at 4.6.0 (TS strict-build incompat in 4.7.0) When npm 11.13.x lands, Dependabot will open the bump PR automatically and Vulnerabilities goes back to 10 with zero manual changes here.
|
🎉 This PR is included in version 0.6.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Revert PR #34 (ephemeral install) and PR #35 (.release/ subpackage). Both landed a net-neutral scorecard score (7.5-7.7) at the cost of architectural noise.
Simpler path: semantic-release + plugins back in
devDependencies,npx semantic-releasein the release workflow, no.release/tree, no Dependabot carve-out.Trade-off acknowledged
npm auditvia@semantic-release/npm → npm@11.12.1bundlednode_modules/).npm ciis unchanged).Why this is OK
Upstream fixes are imminent:
npm/cli#9194tracks the three advisories,npm/cli#9240is the release PR for npm 11.13.0 (open since 2026-04-15, historical merge window 2-9 days). Once published,@semantic-release/npm's^11.6.2range picks it up and Dependabot auto-opens the bump PR here. Vulnerabilities snaps back to 10 with zero manual work.Kept from the earlier scorecard sweep
npm ci(Pinned-Dependencies 10/10)fast-checkpin at 4.6.0 (TS strict-build incompat in 4.7.0)Test plan
npm test: 424/424 passnpm run build: cleannpx eslint src/: cleannpm audit: 3 known vulnerabilities (expected, upstream fix in flight)