Skip to content

chore: upgrade semantic release#4684

Closed
tjuanitas wants to merge 1 commit into
masterfrom
chore-upgrade-semantic-release
Closed

chore: upgrade semantic release#4684
tjuanitas wants to merge 1 commit into
masterfrom
chore-upgrade-semantic-release

Conversation

@tjuanitas

@tjuanitas tjuanitas commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

resolves:

  1. https://github.com/box/box-ui-elements/security/dependabot/437
  2. https://github.com/box/box-ui-elements/security/dependabot/436
  3. https://github.com/box/box-ui-elements/security/dependabot/447

Summary by CodeRabbit

  • Chores
    • Updated a development release dependency to a newer version.
    • Removed one dependency override while keeping the remaining pinned resolutions in place.

@tjuanitas
tjuanitas requested a review from a team as a code owner July 9, 2026 20:39
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​semantic-release@​24.2.9 ⏵ 25.0.59710010095 +1100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm npm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/semantic-release@25.0.5npm/npm@11.18.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm npm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/semantic-release@25.0.5npm/npm@11.18.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR updates package.json by bumping the semantic-release devDependency from ^24.2.9 to ^25.0.5 and removing the @sigstore/core entry from the resolutions block, while other resolution entries remain unchanged.

Changes

Dependency Update

Layer / File(s) Summary
Dependency version and resolutions cleanup
package.json
Bumps semantic-release devDependency to ^25.0.5 and removes the @sigstore/core (3.2.1) entry from resolutions.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

Suggested labels: ready-to-merge

Suggested reviewers: tjiang-box, jfox-box

Poem

A hop, a skip, a version bump,
semantic-release gets a jump 🐇
One less line in resolutions' nest,
package.json now tidy and pressed.
Carrots for clean dependencies! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning No PR description was provided, so the repository template requirements are not met. Add a PR description and include any required merge-queue or approval notes from the template.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: upgrading semantic-release.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore-upgrade-semantic-release

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 277: The declared Node baseline is still too low for semantic-release
v25, so the release step will fail under the current runtime requirement. Update
the Node engine/runtime requirement in package.json (including the engines.node
field and any related release baseline config) to at least Node 22.14+, and make
sure the release setup that uses semantic-release is aligned with that version.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a156eb69-ffeb-4990-b7e8-b9a0ace4a4e8

📥 Commits

Reviewing files that changed from the base of the PR and between 1ebc004 and e0e9cb2.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
"sass-loader": "^16.0.6",
"scroll-into-view-if-needed": "^2.2.31",
"semantic-release": "^24.2.9",
"semantic-release": "^25.0.5",

@coderabbitai coderabbitai Bot Jul 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

semantic-release v25 breaking changes and migration guide

💡 Result:

semantic-release version 25 was released on October 15, 2025 [1]. The primary breaking changes in this major version release center on a significant shift in the Node.js runtime requirements [1][2]. Breaking Changes: - Dropped Support: Support for Node.js versions 20, 21, and 23 has been removed [1][2]. - Minimum Node.js Version: A minimum of Node.js v22.14 is now required to run semantic-release [1][2]. - Node.js v24 Range: Within the v24 line, a minimum of Node.js v24.10.0 is now required [1][2]. Migration Guide & Best Practices: To migrate to semantic-release v25, you must ensure your CI/CD environment uses a compatible Node.js version [2]. 1. Update CI Infrastructure: The recommended approach is to update your CI/CD pipeline images to use a supported Node.js version (e.g., Node.js 22 LTS or newer) [2]. 2. Targeted Runtime Upgrade: If upgrading the entire CI pipeline image is not immediately feasible, you can execute semantic-release using a specific newer Node.js runtime while keeping the rest of your pipeline on an older version [2]. This can be achieved using a command similar to: npx -p node@v24 -c "npx semantic-release" This allows you to satisfy the v25 runtime requirements for the release step specifically without forcing a global environment upgrade across your test or build matrix [2]. As of July 9, 2026, the latest stable version is v25.0.5 [3][4].

Citations:


🏁 Script executed:

python3 - <<'PY'
from pathlib import Path
p = Path('package.json')
text = p.read_text()
for key in ['"semantic-release"', '"engines"', '"node"', '"scripts"']:
    idx = text.find(key)
    if idx != -1:
        start = text.rfind('\n', 0, idx)
        end = text.find('\n', idx)
        print(text[start+1:end])
PY

Repository: box/box-ui-elements

Length of output: 256


🏁 Script executed:

python3 - <<'PY'
import json
from pathlib import Path
data = json.loads(Path('package.json').read_text())
print('semantic-release:', data['dependencies'].get('semantic-release') or data['devDependencies'].get('semantic-release'))
print('engines:', data.get('engines'))
print('scripts.cut_release:', data.get('scripts', {}).get('cut_release'))
PY

Repository: box/box-ui-elements

Length of output: 255


🌐 Web query:

semantic-release v25 --no-ci flag support release notes

💡 Result:

The --no-ci flag is a standard, supported feature in semantic-release, including in version 25 [1][2]. It is not a new feature introduced in v25, but rather a long-standing configuration option that allows the tool to run in local environments by skipping Continuous Integration (CI) environment verifications [1][3][4]. In semantic-release v25, the --no-ci flag (or setting --ci to false) continues to function as the mechanism to bypass CI checks, enabling manual releases from a local machine [1][5]. Official documentation confirms that this flag is equivalent to --ci false [1][6]. When using this flag, you are responsible for providing the necessary authentication tokens (such as NPM_TOKEN or GH_TOKEN) via environment variables [7]. The release notes for semantic-release v25.0.0 and subsequent v25 patch releases do not mention any breaking changes or specific updates to the --no-ci flag, confirming its continued consistent behavior [8][9][10][11].

Citations:


Update the release Node baseline for semantic-release v25
semantic-release v25 needs Node 22.14+, but this repo still declares engines.node >=20.x, so the release step will fail on the current baseline. Bump the runtime/engines version before merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 277, The declared Node baseline is still too low for
semantic-release v25, so the release step will fail under the current runtime
requirement. Update the Node engine/runtime requirement in package.json
(including the engines.node field and any related release baseline config) to at
least Node 22.14+, and make sure the release setup that uses semantic-release is
aligned with that version.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay our internal CI uses 22.11.0 so I need to fix this

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tjuanitas Good catch — thanks for confirming. Since your internal CI is pinned to Node 22.11.0, you've got a couple of paths depending on how quickly you can move the CI baseline:

  1. Bump CI to Node 22.14+ (or 24.10+) — cleanest long-term fix, keeps engines.node in package.json accurate and avoids drift between declared/actual runtime.
  2. Keep CI on 22.11.0 for now, but run just the release step on a newer Node — e.g. npx -p node@22 -- npx semantic-release (or similar) so only the semantic-release invocation gets a compatible runtime without upgrading the whole pipeline image.
  3. Hold off on the v25 bump — revert semantic-release to ^24.2.9 in this PR until the CI image is upgraded, then bump separately.

Let me know which direction you'd like to take and I can help sanity-check the change once it's in.


✏️ Learnings added
Learnt from: tjuanitas
Repo: box/box-ui-elements PR: 4684
File: package.json:277-277
Timestamp: 2026-07-09T20:58:14.105Z
Learning: In box/box-ui-elements, the internal CI environment currently runs Node 22.11.0, which is below the Node 22.14+ minimum required by semantic-release v25. This should be considered when reviewing devDependency bumps to semantic-release ^25.x or Node engine requirement changes.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

@tjuanitas tjuanitas closed this Jul 9, 2026
@tjuanitas
tjuanitas deleted the chore-upgrade-semantic-release branch July 9, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant