Skip to content

Bump @changesets/cli from 3.0.0-next.3 to 3.0.0-next.8#23

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/changesets/cli-3.0.0-next.5
Open

Bump @changesets/cli from 3.0.0-next.3 to 3.0.0-next.8#23
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/changesets/cli-3.0.0-next.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps @changesets/cli from 3.0.0-next.3 to 3.0.0-next.8.

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​3.0.0-next.6

Major Changes

  • #2074 3599e47 Thanks @​bluwy! - Set supported package manager versions in "engines" field, including npm >=10.9.0, pnpm >=10.0.0, and yarn >=4.5.2.

Minor Changes

  • #2068 d03ffc1 Thanks @​bluwy! - Support {commit-short} placeholder for the snapshot.prereleaseTemplate config, which is a 7 character variant of {commit}

  • #2061 c2db1dd Thanks @​Andarist! - Added a changeset publish-plan command to inspect which packages would be published or tagged, with optional JSON output.

  • #2100 90b4ad0 Thanks @​Andarist! - Order releases into dependency-aware chunks so packages are grouped in publish order.

  • #2063 ed77176 Thanks @​Andarist! - Added changeset publish --from-pack-dir <dir> to publish packages from a previously created pack output directory.

  • #2062 830443c Thanks @​Andarist! - Added a changeset pack command that requires --out-dir and writes publishable package tarballs plus an enriched publish-plan.json into that directory, either from the current workspace or from a saved publish plan via --from-plan.

  • #2073 b9cbd80 Thanks @​bluwy! - Show if a package is private when selecting packages in changeset add

Patch Changes

  • #2060 11bded4 Thanks @​Andarist! - Fixed changeset publish to respect ignored packages for both publishing and private package tagging.

  • #2064 ffd65fc Thanks @​Andarist! - For pnpm projects, Changesets now match pnpm's native registry behavior more closely during unpublished package checks. Both scope-based publishConfig registry overrides and publishConfig.registry are now ignored.

  • #2113 b8222e6 Thanks @​Andarist! - Fixed publish error printing for pnpm 11.

  • #2111 124ad07 Thanks @​Andarist! - Auto-create the directory for the target publish plan file when executing changeset publish-plan --output <file>

  • #2113 b8222e6 Thanks @​Andarist! - Fixed accidental success logs on failed npm publishes

  • #2091 3918fe5 Thanks @​bluwy! - Log "New tag: ..." messages when running changeset publish to fix compatibility with the Changesets release GitHub action to create GitHub releases and push the new tags

  • Updated dependencies [694396c, d03ffc1, 01f4da4, c2348fc]:

    • @​changesets/apply-release-plan@​8.0.0-next.6
    • @​changesets/assemble-release-plan@​7.0.0-next.6
    • @​changesets/read@​1.0.0-next.6
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​changesets/​cli@​3.0.0-next.89910010095100

View full report

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/vitest@4.1.8npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Bumps [@changesets/cli](https://github.com/changesets/changesets) from 3.0.0-next.3 to 3.0.0-next.8.
- [Release notes](https://github.com/changesets/changesets/releases)
- [Commits](https://github.com/changesets/changesets/commits)

---
updated-dependencies:
- dependency-name: "@changesets/cli"
  dependency-version: 3.0.0-next.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump @changesets/cli from 3.0.0-next.3 to 3.0.0-next.5 Bump @changesets/cli from 3.0.0-next.3 to 3.0.0-next.8 Jul 19, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/changesets/cli-3.0.0-next.5 branch from a755f10 to 3981123 Compare July 19, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants