release 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
release 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
release 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 MIT License
开发语言 JavaScript
操作系统 跨平台
软件类型 开源软件
地区 不详
投 递 者 首席测试
适用人群 未知
收录时间 2021-12-02


Build Status Join the community on GitHub Discussions

When run, this command line interface automatically generates a new GitHub Release and populates it with the changes (commits) made since the last release.


Firstly, install the package from npm (you'll need at least Node.js 7.6.0):

npm install -g release

Alternatively, you can use Yarn to install it:

yarn global add release

Once that's done, you can run this command inside your project's directory:

release <type>

As you can see, a <type> argument can be passed. If you leave it out, a GitHub Release will be created from the most recent commit and tag.

According to the SemVer spec, the argument can have one of these values:

  • major: Incompatible API changes were introduced
  • minor: Functionality was added in a backwards-compatible manner
  • patch: Backwards-compatible bug fixes were applied

In addition to those values, we also support creating pre-releases like 3.0.0-canary.1:

release pre

You can also apply a custom suffix in place of "canary" like this:

release pre <suffix>

Assuming that you provide "beta" as the <suffix> your release will then be 3.0.0-beta.1 – and so on...


The following command will show you a list of all available options:

release help

Pre-Defining Types

If you want to automate release even further, specify the change type of your commits by adding it to the title or description within parenthesis:

Error logging works now (patch)

Assuming that you've defined it for a certain commit, release won't ask you to set a type for it manually. This will make the process of creating a release even faster.

To pre-define that a commit should be excluded from the list, you can use this keyword:

This is a commit message (ignore)

Custom Hook

Sometimes you might want to filter the information that gets inserted into new releases by adding an intro text, replacing certain data or just changing the order of the changes.

With a custom hook, the examples above (and many more) are very easy to accomplish:

By default, release will look for a file named release.js in the root directory of your project. This file should export a function with two parameters and always return a String (the final release):

module.exports = async (markdown, metaData) => {
	// Use the available data to create a custom release
	return markdown;

In the example above, markdown contains the release as a String (if you just want to replace something). In addition, metaData contains these properties:

Property Name Content
changeTypes The types of changes and their descriptions
commits A list of commits since the latest release
groupedCommits Similar to commits, but grouped by the change types
authors The GitHub usernames of the release collaborators

Hint: You can specify a custom location for the hook file using the --hook or -H flag, which takes in a path relative to the current working directory.


As we at Vercel moved all of our GitHub repositories from keeping a file to using GitHub Releases, we needed a way to automatically generate these releases from our own devices, rather than always having to open a page in the browser and manually add the notes for each change.


You can find the authentication flow here.

  1. Fork this repository to your own GitHub account and then clone it to your local device
  2. Uninstall the package if it's already installed: npm uninstall -g release
  3. Link the package to the global module directory: npm link
  4. You can now use release on the command line!

As always, you can use npm test to run the tests and see if your changes have broken anything.


Thanks a lot to Daniel Chatfield for donating the "release" name on npm and my lovely team for telling me about their needs and how I can make this package as efficient as possible.


Leo Lamprecht (@notquiteleo) - Vercel




点击引领话题📣 发布并加入讨论🔥
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
lodash 命令注入漏洞
lodash是一个提供模块化、性能和附加功能的现代 JavaScript 实用程序库。 4.17.21 之前的 Lodash 版本容易通过模板函数进行命令注入。
CVE-2021-23337 MPS-2021-2638
2022-08-08 18:31
acorn 存在拒绝服务漏洞
acorn 是一个用 JavaScript 编写的小巧、快速的 JavaScript 解析器。此软件包的受影响版本通过 /[x-\ud800]/u 形式的正则表达式容易受到正则表达式拒绝服务 (ReDoS) 的攻击,这会导致解析器进入无限循环。
2022-08-08 18:31
lodash 存在拒绝服务漏洞
lodash 是一个现代 JavaScript 实用程序库,提供模块化、性能和附加功能。由于对 CVE-2020-8203 的修复不完整,此软件包的受影响版本容易受到 zipObjectDeep 中的原型污染。
2022-08-08 18:31
extend module 输入验证错误漏洞
extend module是一个jQuery的经典extend()方法的端口。 deep-extend node模块0.5.0及之前版本中的‘utilities’函数存在输入验证错误漏洞。攻击者可利用该漏洞造成服务器崩溃或返回500。
CVE-2018-3750 MPS-2018-8705
2022-08-08 18:31
Ajv 输入验证错误漏洞
Ajv 6.12.2版本中的ajv.validate()函数中存在输入验证错误漏洞。攻击者可利用该漏洞执行代码或造成拒绝服务。
CVE-2020-15366 MPS-2020-10525
2022-08-08 18:31
minimist 输入验证错误漏洞
minimist是一款命令行参数解析工具。 minimist 1.2.2之前版本存在输入验证错误漏洞。攻击者可借助‘constructor’和‘__proto__’ payload利用该漏洞添加或修改Object.prototype的属性。
CVE-2020-7598 MPS-2020-3516
2022-08-08 18:31
0 评论
0 收藏