@anolilab/multi-semantic-release

A multi semantic release tool for a monorepo.

---

---

Hacky semantic-release for monorepos based on qiwi/multi-semantic-release

This fork of dhoub/multi-semantic-release replaces setImmediate loops
and execa.sync hooks with event-driven flow and finally makes possible to run the most release operations in parallel.
🎉 🎉 🎉

This package should work well, but may not be fundamentally stable enough for important production use as
it's pretty dependent on how semantic-release works (so it may break or get out-of-date in future versions
of semantic-release).

One of the best things about semantic-release is forgetting about version numbers. In a monorepo though there's still
a lot of version number management required for local deps (packages in the same monorepo referenced in dependencies
or devDependencies or peerDependencies). However in multi-semantic-release the version numbers of local deps are
written into package.json at release time. This means there's no need to hard-code versions any more
(we recommend just using * asterisk instead in your repo code).

Note: While devDependencies are updated in package.json, they do not trigger version bumps for the package itself. Only runtime dependencies (dependencies, peerDependencies, optionalDependencies) can trigger version bumps when they change.

$3

- CLI & JS API
- Automated & configurable cross-pkg version bumping
- Provides alpha & beta-branched release flow
- Supports npm (v7+), yarn, pnpm, bolt-based monorepos
- Optional packages ignoring
- Linux/MacOs/Windows support
- Automatic catalog change detection - Automatically triggers releases when pnpm or Yarn catalog versions change

Install

``bash
npm install --save-dev @anolilab/multi-semantic-release@latest semantic-release@latest
`

`sh
pnpm add -D @anolilab/multi-semantic-release@latest semantic-release@latest
`

`sh
yarn add -D @anolilab/multi-semantic-release@latest semantic-release@latest
`

Usage

`sh
multi-semantic-release
`

Requirements

- Node.js ^22.14.0 || >=24.10.0
- git-notes enabled

$3

Make sure to have a workspaces attribute inside your package.json project file. In there, you can set a list of packages that you might want to process in the msr process, as well as ignore others. For example, let's say your project has 4 packages (i.e. a, b, c and d) and you want to process only a and d (ignore b and c). You can set the following structure in your package.json file:

`json
{
"name": "msr-test-yarn",
"author": "Dave Houlbrooke "version": "0.0.0-semantically-released",
"private": true,
"license": "0BSD",
"engines": {
"node": ">=8.3"
},
"workspaces": ["packages/*", "!packages/b/", "!packages/c/"],
"release": {
"plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator"],
"noCi": true
}
}
`

$3

Make sure to have a packages attribute inside your pnpm-workspace.yaml in the root of your project.

> Note: You need to have the "workspaces": ["packages/*"] attribute inside your package.json project file as well, need from semantic-release.

In there, you can set a list of packages that you might want to process in the msr process, as well as ignore others.
For example, let's say your project has 4 packages (i.e. a, b, c and d) and you want to process only a and d (ignore b and c). You can set the following structure in your pnpm-workspace.yaml file:

`yaml
packages:
- "packages/**"
- "!packages/b/**"
- "!packages/c/**"
`

#### Catalog Change Detection (pnpm)

Multi-semantic-release automatically detects changes in pnpm catalogs defined in pnpm-workspace.yaml and triggers releases for packages that use those catalogs. When a catalog version changes, the release type (major/minor/patch) is determined by comparing the old and new versions using semantic versioning.

Example pnpm-workspace.yaml with catalogs:

`yaml
packages:
- "packages/*"

catalogs:
cli:
semantic-release: ^25.0.0
"@semantic-release/changelog": ^6.0.0
dev:
typescript: ^5.1.0
eslint: ^9.0.0
prod:
lodash-es: ^4.17.1
`

When you update a catalog version (e.g., lodash-es: ^4.17.0 → ^4.17.1), any package using catalog:prod for lodash-es will automatically get a patch release. The release type is determined by the version change:

- Major change (e.g., ^1.0.0 → ^2.0.0) triggers a major release
- Minor change (e.g., ^1.0.0 → ^1.1.0) triggers a minor release
- Patch change (e.g., ^1.0.0 → ^1.0.1) triggers a patch release

Note: Catalog references in devDependencies are updated but do not trigger version bumps. Only catalog references in dependencies, peerDependencies, and optionalDependencies can trigger releases.

Catalog changes are combined with commit-based releases - if both trigger a release, the highest severity is used.

$3

Make sure to have a bolt.workspaces attribute inside your package.json project file.
In there, you can set a list of packages that you might want to process in the msr process, as well as ignore others.
For example, let's say your project has 4 packages (i.e. a, b, c and d) and you want to process only a and d (ignore b and c). You can set the following structure in your package.json file:

`json
{
"name": "msr-test-bolt",
"author": "Dave Houlbrooke "version": "0.0.0-semantically-released",
"private": true,
"license": "0BSD",
"engines": {
"node": ">=8.3"
},
"bolt": {
"workspaces": ["packages/*", "!packages/b/", "!packages/c/"]
},
"release": {
"plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator"],
"noCi": true
}
}
`

Configuring Multi-Semantic-Release

Alternatively some options may be set via CLI flags.

Note: CLI arguments take precedence over options configured in the configuration file.

Configuration

Multi-semantic-release can be configured using a configuration file in any of the following formats:

$3

1. package.json (under the "multi-release" key):

`json
{
"name": "my-monorepo",
"version": "1.0.0",
"multi-release": {
"deps": {
"bump": "inherit"
},
"ignorePackages": ["packages/legacy/**"],
"tagFormat": "${name}@${version}"
}
}
`

2. .multi-releaserc (JSON format):

`json
{
"deps": {
"bump": "inherit"
},
"ignorePackages": ["packages/legacy/**"],
"tagFormat": "${name}@${version}"
}
`

3. .multi-releaserc.json:

`json
{
"deps": {
"bump": "inherit"
}
}
`

4. .multi-releaserc.js (CommonJS module):

`javascript
module.exports = {
deps: {
bump: "inherit",
},
ignorePackages: ["packages/legacy/**"],
};
`

5. .multi-releaserc.cjs (CommonJS module):

`javascript
module.exports = {
deps: {
bump: "inherit",
excludeDependencies: ["@visulima/packem", "my-circular-package"],
},
};
`

6. multi-release.config.js (ES module):
`javascript
export default {
deps: {
bump: "inherit",
},
};
`

$3

Multi-semantic-release will search for configuration files in the following order:

1. package.json (under "multi-release" property)
2. .multi-releaserc
3. .multi-releaserc.json
4. .multi-releaserc.js
5. .multi-releaserc.cjs
6. multi-release.config.js

The first configuration file found will be used, and the search stops there.

$3

| Option | Type | CLI Flag | Description |
| ----------------- | ----------------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| dryRun | boolean | --dry-run | Dry run mode. |
| logLevel | String | --log-level | Sets the internal logger verbosity level: error, warn, info, debug, trace. Defaults to info. |
| debug | boolean | --debug | Output debugging information. Shortcut for --logLevel=debug. |
| silent | boolean | --silent | Turns off any log outputs. |
| extends | String \| Array | N/A | List of modules or file paths containing a shareable configuration. If multiple shareable configurations are set, they will be imported in the order defined with each configuration option taking precedence over the options defined in the previous. |
| sequentialInit | boolean | --sequential-init | Avoid hypothetical concurrent initialization collisions. |
| sequentialPrepare | boolean | --sequential-prepare | Avoid hypothetical concurrent preparation collisions. True by default. |
| firstParent | boolean | --first-parent | Apply commit filtering to current branch only. |
| ignorePrivate | boolean | --ignore-private | Exclude private packages. True by default. |
| ignorePackages | String \| Array | --ignore-packages | Packages list to be ignored on bumping process (appended to the ones that already exist at package.json workspaces). If using the CLI flag, supply a comma seperated list of strings. |
| tagFormat | String | --tag-format | Format to use when creating tag names. Should include "name" and "version" vars. Default: "${name}@${version}" which generates "package-name@1.0.0" |
| deps | Object | N/A | Dependency handling, see below for possible values. |

$3

| Option | Type | CLI Flag | Description |
| ------- | ---------------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| bump | override \| satisfy \| inherit | --deps.bump | Define deps version update rule.

• override — replace any prev version with the next one
• satisfy — check the next pkg version against its current references. If it matches (* matches to any, 1.1.0 matches 1.1.x, 1.5.0 matches to ^1.0.0 and so on) release will not be triggered, if not override strategy will be applied instead; inherit will try to follow the current declaration version/range. ~1.0.0 + minor turns into ~1.1.0, 1.x + major gives 2.x, but 1.x + minor gives 1.x so there will be no release, etc. +;
• ignore prevent dependencies from being bumped by MSR

|
| release | patch \| minor \| major \| inherit \| Object | --deps.release | Define release type for dependent package if any of its deps changes.

• patch, minor, major — strictly declare the release type that occurs when any dependency is updated;
• inherit — applies the "highest" release of updated deps to the package.
_For example, if any dep has a breaking change, major release will be applied to the all dependants up the chain._
• Object mapping — configure different release types based on dependency severity:
{ major: "minor", minor: "patch", patch: "patch" }
This allows fine-grained control, e.g., major dependency bumps can trigger minor bumps instead of major bumps.

Note: Only dependencies, peerDependencies, and optionalDependencies trigger version bumps. devDependencies are updated but do not trigger releases. |
| prefix | '^' \| '~' \| '' | --deps.prefix | Optional prefix to be attached to the next version if bump is set to override. Supported values: ^ \| ~ \| '' (empty string) ; '' by default. |

$3

- Via CLI:

`sh
$ multi-semantic-release --ignore-packages=packages/a/,packages/b/ --deps.bump=inherit
`

- Using release mapping to control how dependency bumps trigger releases:

`json
{
"multi-release": {
"deps": {
"release": {
"major": "minor",
"minor": "patch",
"patch": "patch"
}
}
}
}
`

This configuration means:

- When a dependency has a major bump → trigger a minor bump for the dependent package
- When a dependency has a minor bump → trigger a patch bump for the dependent package
- When a dependency has a patch bump → trigger a patch bump for the dependent package

This is useful when you want to be more conservative about version bumps, e.g., major dependency changes don't necessarily require major bumps in your package.

Configuring Semantic-Release

MSR requires semrel config to be added in any supported format for each package or/and declared in repo root (globalConfig is extremely useful if all the modules have the same strategy of release).
NOTE config resolver joins globalConfig and packageConfig during execution.

`javascript
// Load the package-specific options.
const { options: pkgOptions } = await getConfig(dir);

// The 'final options' are the global options merged with package-specific options.
// We merge this ourselves because package-specific options can override global options.
const finalOptions = Object.assign({}, globalOptions, pkgOptions);
`

Make sure to have a workspaces attribute inside your package.json project file. In there, you can set a list of packages that you might want to process in the msr process, as well as ignore others. For example, let's say your project has 4 packages (i.e. a, b, c and d) and you want to process only a and d (ignore b and c). You can set the following structure in your package.json file:

`json
{
"name": "msr-__tests__-yarn",
"author": "Dave Houlbrooke "version": "0.0.0-semantically-released",
"private": true,
"license": "0BSD",
"engines": {
"node": ">=8.3"
},
"workspaces": ["packages/*", "!packages/b/", "!packages/c/"],
"release": {
"plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator"],
"noCi": true
}
}
`

You can also ignore it with the CLI:

`bash
$ multi-semantic-release --ignore-packages=packages/b/,packages/c/
`

You can also combine the CLI ignore options with the ! operator at each package inside workspaces attribute. Even though you can use the CLI to ignore options, you can't use it to set which packages to be released – i.e. you still need to set the workspaces attribute inside the package.json.

Verified usage examples

We use this tool to release our JS platform code inhouse (GitHub Enterprise + JB TeamCity) and for our OSS (GitHub + Travis CI). Guaranteed working configurations available in projects.

- anolilab/multi-semantic-release
- visulima/visulima
- qiwi/substrate
- qiwi/json-rpc
- qiwi/lint-config-qiwi

Troubleshooting

$3

When releasing a monorepo you may get a npm ERR! code ETARGET error. This is caused by npm version creating a reify update on packages with future dependency versions MSR has not updated yet.

The simplest work around is to set workspaces-update to false either in your .npmrc or manually by running npm config set workspaces-update false

$3

When releasing a monorepos you may get EINVALIDNPMTOKEN error. The more packages, the more chance of error, unfortunately.

`shell
INVALIDNPMTOKEN Invalid npm token.
The npm token (https://github.com/semantic-release/npm/blob/master/README.md#npm-registry-authentication) configured in the NPM_TOKEN environment variable must be a valid token (https://docs.npmjs.com/getting-started/working_with_tokens) allowing to publish to the registry https://registry.npmjs.org/.
`

Do not rush to change your token. _Perhaps_ this is related to npm whoami request throttling on your registry (just a hypothesis: https://github.com/semantic-release/npm/pull/416). At this point you can:

- Rerun your build as many times as necessary. You may get lucky in a new attempt.
- Use semrel-extra/npm plugin for npm publishing (recommended).

$3

This error seems to be related to concurrent git invocations (issues/24). Or maybe not.
Anyway we've added a special --sequental-init flag to queue up these calls.

Implementation notes (and other thoughts)

$3

Automatically finds packages as long as workspaces are configured as-per the workspace-feature of one of the support package managers.

- Yarn workspaces.
- Npm workspaces (Version 7.x)
- pnpm workspace
- bolt workspaces

I'm aware Lerna is the best-known tool right now, but in future it seems clear it will be replaced by functionality in Yarn and NPM directly. If you use Yarn workspaces today (January 2019), then publishing is the only remaining feature Lerna is _really_ required for (though it'd be lovely if Yarn added parallel script execution). Thus using multi-semantic-release means you can probably remove Lerna entirely from your project.

$3

Other packages that enable semantic-release for monorepos work by iterating into each package and running the semantic-release command. This is conceptually simple but unfortunately not viable because:

- If a package is published that depends on minor changes that have been made in a sibling package it could cause extremely subtle errors (the worst kind!) — if the project follows semver religiously this should never happen, but it's better to eliminate the _potential_ for errors
- Dependency version numbers need to reflect the _next_ release at time of publishing, so a package needs to know the state of _all other packages_ before it can publish correctly — this central state needs to be coordinated by something

$3

A key requirement is handling local dep version numbers elegantly. multi-semantic-release does the following:

- The next version number of all packages is established first
- If a release has not changed but has local deps that _have_ changed... do a patch bump on that package too
- Before packages are released (in semantic-release's prepare step), the correct current/next version number of _all_ local dependencies is written into the package.json file (overwriting any existing value)
- This ensures the package at the time of publishing will be atomically correct with all other packages in the monorepo.

Important: devDependencies are handled differently from runtime dependencies:

- devDependencies are updated in package.json when their versions change
- However, devDependencies do not trigger version bumps for the package itself
- Only dependencies, peerDependencies, and optionalDependencies can trigger version bumps when they change
- This aligns with semantic versioning principles, as devDependencies don't affect the published package's runtime behavior

The above means that, possibly, if someone upgrades dependencies and pulls down a package from NPM _during the multirelease_ (before all its deps have been published at their next versions), then their npm install will fail (it will work if they try again in a few minutes). On balance I thought it was more important to be atomically correct (this situation should be fairly rare assuming projects commit their lockfiles).

$3

This is the jankiest part of multi-semantic-release and most likely part to break relies. I expect this to cause maintenance issues down the line. In an ideal world semantic-release will bake-in support for monorepos (making this package unnecessary).

The way I ended up integrating is to create a custom "inline plugin" for semantic-release, and passing that in to semanticRelease() as the only plugin. This then calls any other configured plugins to retrieve and potentially modify the response.

The plugin starts all release at once, then pauses them (using Promises) at various points to allow other packages in the multirelease to catch up. This is mainly needed so the version number of all packages can be established _before_ any package is released. This allows us to do a patch bump on releases whose local deps have bumped, and to accurately write in the version of local deps in each package.json

The inline plugin does the following:

- verifyConditions: _not used_
- analyzeCommits:
- Replaces context.commits with a list of commits filtered to the folder only
- Calls plugins.analyzeCommits() to get the next release type (e.g. from @semantic-release/commit-analyzer)
- Waits for _all_ packages to catch up to this point.
- For packages that haven't bumped, checks if it has local deps (or deps of deps) that have bumped and returns patch if that's true
- verifyRelease: _not used_
- generateNotes:
- Calls plugins.generateNotes() to get the notes (e.g. from @semantic-release/release-notes-generator)
- Appends a section listing any local deps bumps (e.g. "my-pkg-2: upgraded to 1.2.1")
- prepare:
- Writes in the correct version for local deps in dependencies, devDependencies, peerDependencies in package.json
- Serialize the releases so they happen one-at-a-time (because semantic-release calls git push asynchronously, multiple releases at once fail because Git refs aren't locked — semantic-release should use execa.sync() so Git operations are atomic)
- publish: _not used_
- success: _not used_
- fail: _not used_

$3

The integration with semantic release is pretty janky — this is a quick summary of the reasons this package will be hard to maintain:

1. Had to filter context.commits object before it was used by @semantic-release/commit-analyzer (so it only lists commits for the corresponding directory).

- The actual Git filtering is easy peasy: see getCommitsFiltered.js
- But overriding context.commits was very difficult! I did it eventually creating an _inline plugin_ and passing it into semanticRelease() via options.plugins
- The inline plugin proxies between semantic release and other configured plugins. It does what it needs to then calls e.g. plugins.analyzeCommits() with an overridden context.commits — see createInlinePluginCreator.js
- I think this is messy — inline plugins aren't even documented :(

2. Need to run the analyze commit step on _all_ plugins before any proceed to the publish step

- The inline plugin returns a Promise for every package then waits for all packages to analyze their commits before resolving them one at a time
- If packages have local deps (e.g. dependencies in package.json points to an internal package) this step also does a patch bump if any of them did a bump.
- This has to work recursively! See hasChangedDeep.js

3. The configuration can be layered (i.e. global semantic-release cli) and then per-directory overrides for individual packages).

- Had to duplicate the internal cosmiconfig setup from semantic release to get this working :(

4. I found Git getting itself into weird states because e.g. git tag is done asynchronously

- To get around this I had to stagger package publishing so they were done one at a time (which slows things down)
- I think calls to execa() in semantic release should be replaced with execa.sync() to ensure Git's internal state is atomic.
- Fortunately, another workaround has been implemented. Synchronizer is the neat part. It is critical to make the tag and commit publishing phases strictly sequential. Event emitter allows:
- To synchronize release stages for all packages.
- To ensure the completeness of checks and the sufficiency of conditions for a conflict-free process.

$3

Releases always use a tagFormat of my-pkg-1@1.0.1 for Git tags, and always overrides any gitTag set in semantic-release configuration.

I can personally see the potential for this option in coordinating a semantic-release (e.g. so two packages with the same tag always bump and release simultaneously). Unfortunately with the points of integration available in semantic-release, it was effectively impossible when releasing to stop a second package creating a duplicate tag (causing an error).

To make the tagFormat option work as intended the following would need to happen:

- semantic-release needs to check if a given tag already exists at a given commit, and not create it / push it if that's true
- Release notes for multiple package releases need to be merged BUT the Github release only done once (by having the notes merged at the semantic-release level but only published once, or having the Github plugin merge them)
- Make it clear in documentation that the default tag v1.0.0` will have the same effect as Lerna's fixed mode (all changed monorepo packages released at same time)

Supported Node.js Versions

Libraries in this ecosystem make the best effort to track
Node.js' release schedule. Here's a
post on why we think this is important.

Contributing

If you would like to help take a look at the list of issues and check our Contributing guild.

> Note: please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Credits

- Daniel Bannert
- All Contributors
- hanseltime -> https://github.com/qiwi/multi-semantic-release/pull/96
- lyh543 -> https://github.com/dhoulb/multi-semantic-release/issues/111
- dhoub/multi-semantic-release
- qiwi/multi-semantic-release

Made with ❤️ at Anolilab

This is an open source project and will always remain free to use. If you think it's cool, please star it 🌟. Anolilab is a Development and AI Studio. Contact us at hello@anolilab.com if you need any help with these technologies or just want to say hi!

License

0BSD

[license-badge]: https://img.shields.io/npm/l/@anolilab/multi-semantic-release?style=for-the-badge
[license]: https://github.com/anolilab/multi-semantic-release/blob/main/LICENSE
[npm-downloads-badge]: https://img.shields.io/npm/dm/@anolilab/multi-semantic-release?style=for-the-badge
[npm-downloads]: https://www.npmjs.com/package/@anolilab/multi-semantic-release
[prs-welcome-badge]: https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=for-the-badge
[prs-welcome]: https://github.com/anolilab/multi-semantic-release/blob/main/.github/CONTRIBUTING.md
[chat-badge]: https://img.shields.io/discord/902465130518949899.svg?style=for-the-badge
[chat]: https://discord.gg/TtFJY8xkFK
[typescript-badge]: https://img.shields.io/badge/Typescript-294E80.svg?style=for-the-badge&logo=typescript
[typescript-url]: https://www.typescriptlang.org/
[license-url]: LICENSE.md