chore: upgrade semantic release#4684
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
WalkthroughThis PR updates ChangesDependency Update
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Suggested labels: Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 277: The declared Node baseline is still too low for semantic-release
v25, so the release step will fail under the current runtime requirement. Update
the Node engine/runtime requirement in package.json (including the engines.node
field and any related release baseline config) to at least Node 22.14+, and make
sure the release setup that uses semantic-release is aligned with that version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a156eb69-ffeb-4990-b7e8-b9a0ace4a4e8
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
package.json
| "sass-loader": "^16.0.6", | ||
| "scroll-into-view-if-needed": "^2.2.31", | ||
| "semantic-release": "^24.2.9", | ||
| "semantic-release": "^25.0.5", |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
semantic-release v25 breaking changes and migration guide
💡 Result:
semantic-release version 25 was released on October 15, 2025 [1]. The primary breaking changes in this major version release center on a significant shift in the Node.js runtime requirements [1][2]. Breaking Changes: - Dropped Support: Support for Node.js versions 20, 21, and 23 has been removed [1][2]. - Minimum Node.js Version: A minimum of Node.js v22.14 is now required to run semantic-release [1][2]. - Node.js v24 Range: Within the v24 line, a minimum of Node.js v24.10.0 is now required [1][2]. Migration Guide & Best Practices: To migrate to semantic-release v25, you must ensure your CI/CD environment uses a compatible Node.js version [2]. 1. Update CI Infrastructure: The recommended approach is to update your CI/CD pipeline images to use a supported Node.js version (e.g., Node.js 22 LTS or newer) [2]. 2. Targeted Runtime Upgrade: If upgrading the entire CI pipeline image is not immediately feasible, you can execute semantic-release using a specific newer Node.js runtime while keeping the rest of your pipeline on an older version [2]. This can be achieved using a command similar to: npx -p node@v24 -c "npx semantic-release" This allows you to satisfy the v25 runtime requirements for the release step specifically without forcing a global environment upgrade across your test or build matrix [2]. As of July 9, 2026, the latest stable version is v25.0.5 [3][4].
Citations:
- 1: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.0
- 2: https://pocketlantern.dev/briefs/semantic-release-v25-node-runtime-baseline-shift-2026
- 3: https://npmx.dev/package-changelog/semantic-release/v/25.0.5
- 4: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.5
🏁 Script executed:
python3 - <<'PY'
from pathlib import Path
p = Path('package.json')
text = p.read_text()
for key in ['"semantic-release"', '"engines"', '"node"', '"scripts"']:
idx = text.find(key)
if idx != -1:
start = text.rfind('\n', 0, idx)
end = text.find('\n', idx)
print(text[start+1:end])
PYRepository: box/box-ui-elements
Length of output: 256
🏁 Script executed:
python3 - <<'PY'
import json
from pathlib import Path
data = json.loads(Path('package.json').read_text())
print('semantic-release:', data['dependencies'].get('semantic-release') or data['devDependencies'].get('semantic-release'))
print('engines:', data.get('engines'))
print('scripts.cut_release:', data.get('scripts', {}).get('cut_release'))
PYRepository: box/box-ui-elements
Length of output: 255
🌐 Web query:
semantic-release v25 --no-ci flag support release notes
💡 Result:
The --no-ci flag is a standard, supported feature in semantic-release, including in version 25 [1][2]. It is not a new feature introduced in v25, but rather a long-standing configuration option that allows the tool to run in local environments by skipping Continuous Integration (CI) environment verifications [1][3][4]. In semantic-release v25, the --no-ci flag (or setting --ci to false) continues to function as the mechanism to bypass CI checks, enabling manual releases from a local machine [1][5]. Official documentation confirms that this flag is equivalent to --ci false [1][6]. When using this flag, you are responsible for providing the necessary authentication tokens (such as NPM_TOKEN or GH_TOKEN) via environment variables [7]. The release notes for semantic-release v25.0.0 and subsequent v25 patch releases do not mention any breaking changes or specific updates to the --no-ci flag, confirming its continued consistent behavior [8][9][10][11].
Citations:
- 1: https://semantic-release.gitbook.io/semantic-release/usage/configuration.md
- 2: https://github.com/semantic-release/semantic-release/blob/HEAD/docs/usage/configuration.md
- 3: https://semantic-release.gitbook.io/semantic-release/support/faq
- 4: semantic-release does not respect --no-ci flag under some circumstances semantic-release/semantic-release#1299
- 5: https://semantic-release.gitbook.io/semantic-release/usage/configuration
- 6: https://semantic-release.gitbook.io/semantic-release/next/usage/configuration
- 7: https://semantic-release.gitbook.io/semantic-release/next/support/faq
- 8: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.0
- 9: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.5
- 10: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.4
- 11: https://github.com/semantic-release/semantic-release/releases/tag/v25.0.3
Update the release Node baseline for semantic-release v25
semantic-release v25 needs Node 22.14+, but this repo still declares engines.node >=20.x, so the release step will fail on the current baseline. Bump the runtime/engines version before merging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 277, The declared Node baseline is still too low for
semantic-release v25, so the release step will fail under the current runtime
requirement. Update the Node engine/runtime requirement in package.json
(including the engines.node field and any related release baseline config) to at
least Node 22.14+, and make sure the release setup that uses semantic-release is
aligned with that version.
There was a problem hiding this comment.
okay our internal CI uses 22.11.0 so I need to fix this
There was a problem hiding this comment.
@tjuanitas Good catch — thanks for confirming. Since your internal CI is pinned to Node 22.11.0, you've got a couple of paths depending on how quickly you can move the CI baseline:
- Bump CI to Node 22.14+ (or 24.10+) — cleanest long-term fix, keeps
engines.nodeinpackage.jsonaccurate and avoids drift between declared/actual runtime. - Keep CI on 22.11.0 for now, but run just the release step on a newer Node — e.g.
npx -p node@22 -- npx semantic-release(or similar) so only the semantic-release invocation gets a compatible runtime without upgrading the whole pipeline image. - Hold off on the v25 bump — revert
semantic-releaseto^24.2.9in this PR until the CI image is upgraded, then bump separately.
Let me know which direction you'd like to take and I can help sanity-check the change once it's in.
✏️ Learnings added
Learnt from: tjuanitas
Repo: box/box-ui-elements PR: 4684
File: package.json:277-277
Timestamp: 2026-07-09T20:58:14.105Z
Learning: In box/box-ui-elements, the internal CI environment currently runs Node 22.11.0, which is below the Node 22.14+ minimum required by semantic-release v25. This should be considered when reviewing devDependency bumps to semantic-release ^25.x or Node engine requirement changes.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
resolves:
Summary by CodeRabbit