docs: recommend pinning plugins and presets in npx command#48
Conversation
The major-version pinning recommendation previously covered only semantic-release itself, while the npx example listed plugins and presets unpinned. An unpinned preset major can silently break releases — e.g. `conventional-changelog-conventionalcommits@10` resolved against the `conventional-changelog-writer@8` bundled by current semantic-release produces empty release notes. The example deliberately pins `conventional-changelog-conventionalcommits@9` until release-notes-generator ships with `conventional-changelog-writer@9`. See conventional-changelog/conventional-changelog#1495
|
@igordanchenko is attempting to deploy a commit to the Semantic Release Team on Vercel. A member of the Team first needs to authorize it. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
While adopting this exact recommendation in one of my projects, I ran into a footgun that may be worth a note in the docs.
The catch is that this only happens with pinned specs — i.e., exactly when following this PR's recommendation. A bare package name parses as the Adding - name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HUSKY: 0
run: npx --package semantic-release@25 --package conventional-changelog-conventionalcommits@9 semantic-release(Verified fix — the same workflow released successfully with Happy to fold a short warning about this into the PR if you think it belongs on this page. |
this is a great question. i dont necessarily want to promise that the versions in at least this part of the docs suggest compatible versions, but i worry that not using real version numbers could confuse folks further. for now, i think it is ok to leave as is
i think this concern is valid whether or not plugins are included in the npx command. however, these changes are in code in the repository. if an update is merged that breaks the configuration, the previous combination is still in history, so the update can be reverted to get back to a working setup. that is a far better situation to be in than not knowing the versions that were in place before becoming broken. i think i'll merge the current iteration because it is already better than the current state, but if you'd like to suggest an improvement for this as a follow up, we'd welcome it |
|
for another potential follow-up, it could be useful to apply the same guidance in the example here, too: https://semantic-release.org/foundation/plugins/#additional-plugins |
Summary
Extends the version pinning guidance on the Running semantic-release page to cover plugins and presets, not just semantic-release itself.
Follow-up to the discussion in conventional-changelog/conventional-changelog#1495.
Open Questions
@travi
How would you prefer to handle version drift in the pinned examples? Add a note saying the versions are current as of July 2026? Or use generic
@^X/@^Yplaceholders?A related question about the Renovate guidance: an automated Renovate config can cause the very same issue version pinning is trying to avoid — a major bump of a pinned preset (e.g.
conventional-changelog-conventionalcommits@9→@10) passes CI and silently ships empty release notes. Should the Renovate example stay semantic-release-only, or also cover plugin pins?