feat: init @semantic-release/core

[babblebey]

Phase 1: Repository and Package Scaffolding

Objective: Introduce package boundaries with minimal behavior change.

Checklist:

• Create packages/core (or equivalent) with package metadata for @semantic-release/core.
• Move/copy core files (index.js, lib/, type definitions) into core package structure.
• Set module exports/types fields correctly for ESM consumers.
• Add package-level tests/lint config wiring for core.

Deliverables:

• Buildable/installable @semantic-release/core package in repository.
• CI can run tests against both wrapper and core packages. (Core package side scaffolding complete; wrapper CI wiring remains for Phase 3/4 integration.)

Phase 2: Core Decoupling and Default Behavior Ownership

Objective: Make core fully composable and remove default plugin assumptions from core.

Checklist:

• Change core config defaults so plugins is empty in core package.
• Add explicit validation and actionable error when required steps are missing (e.g., analyzeCommits).
• Isolate or inject terminal rendering formatter to avoid hard dependency on CLI-oriented renderer.
• Ensure core does not depend on wrapper-only dependencies (yargs, CLI-only renderer packages).
• Keep plugin loading behavior and plugin step contracts unchanged.

Deliverables:

• Core runs with user-provided plugin lists.
• Core fails fast with clear messages when mandatory lifecycle setup is missing.

Phase 3: Wrapper Package Compatibility Layer (semantic-release)

Objective: Preserve existing user behavior by making semantic-release a thin adapter.

Checklist:

• Update wrapper index.js to delegate execution to @semantic-release/core.
• Preserve exported API shape currently expected by programmatic users.
• Keep CLI in wrapper package and maintain current option parsing/flags.
• Inject current default plugin list from wrapper to emulate existing behavior.
• Verify wrapper still masks sensitive output and preserves current logging style.

Deliverables:

• Existing semantic-release commands work with no user config changes.
• Wrapper package owns defaults and CLI while core remains neutral.

Reference: https://github.com/semantic-release/semantic-release/tree/feat/core-integration

Phase 4: Test Strategy and Regression Hardening

Objective: Prove no regressions in wrapper and expected behavior in core.

Checklist:

• Add/adjust unit tests for core defaults and validation errors.
• Add wrapper tests proving default plugin behavior parity with pre-split behavior.
• Add integration tests for custom plugin stacks using @semantic-release/core.
• Validate dry-run behavior, branch constraints, and fail/success hooks across both packages.
• Ensure snapshot/log-output tests account for formatter abstraction changes.

Deliverables:

• Green focused test matrix covering core standalone usage and wrapper compatibility.
• Clear evidence of behavior parity for existing users.

Phase 4.5: Cracking core 😤

Objective: Make core composable and IMPERATIVELY 100% backward compactible to semantic-release

Checklist:

• Pack @semantic-release/commit-analyzer as default core plugin with fallback support - support cases below
  • When built plugin pipeline has no analyzeCommit step implementation - fallback to core's packed @semantic-release/commit-analyzer
• Support inline/direct plugins composition allowing user to pass plugin configuration with plain array object/sting to core
  • Build plugin pipeline from input
  • Make direct composition highest priority for plugin ahead of config (releaserc) file's plugins field, including ones built from sharable config - making direct composition the most authoritative plugin source
• Keep support for config-driven plugins passable to core
  • Plugin pipeline is already built from this with getConfig - so expose this as an api from core
• Support semantic-release default 4 plugins (@semantic-release/commit-analyzer, @semantic-release/release-notes-generator, @semantic-release/npm, @semantic-release/github) regardless of core having its own 1 default plugin (@semantic-release/commit-analyzer)
  • Assume semantic-release a wrapper built on core, allow wrappers the ability to build their own default config/plugins with fallback support to core commit analyzer when wrapper's default does not have any plugin that implements the analyzeCommits step
  • Support normal config overriding/prioritization behavior when a release config file is present regardless of default with fallback support to core's packed commit analyzer when wrapper's default or consumer's config does not have any plugin that implements the analyzeCommits step
• Accept marked-terminal instance as args to render terminal markdown???
• ......new requirement?????

Deliverables

• semantic-release/core installable in semantic-release with zero breaking

Phase 5: Documentation and Migration Guidance

Objective: Make adoption and upgrade path clear.

Checklist:

• Add @semantic-release/core usage docs with minimal and advanced examples.
• Update semantic-release docs to explain default behavior remains and where customization lives.
• Publish migration guidance for users who want custom CLIs/plugin stacks.
• Document dependency ownership (what is bundled in wrapper vs expected in core consumers).
• Update TypeScript examples for both packages.

Deliverables:

• Updated docs website (target https://semantic-release.org/developer-guide/js-api) and README sections for both package audiences.
• Migration notes suitable for release announcement/changelog.

Phase 6: Release and Rollout

Objective: Ship safely with clear communication and rollback options.

Checklist:

• Publish @semantic-release/core initial version with release notes.
• Publish updated semantic-release wrapper release with explicit compatibility notes.
• Monitor issue tracker for integration and plugin-resolution regressions.
• Prepare patch follow-up path for wrapper compatibility issues.
• Collect user feedback on core composability and CLI extension experience.

Deliverables:

• Stable release of both packages.
• Post-release triage checklist executed.

---

Related Issue

• Proposal: Extract @semantic-release/core package to enable composable release pipelines semantic-release#4072

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​semantic-release/​error@​4.0.0
	resolve-from@​5.0.0
	p-each-series@​3.0.0
	p-reduce@​3.0.0
	signale@​1.4.0
	lodash-es@​4.18.1
	git-log-parser@​1.2.1
	aggregate-error@​5.0.0
	import-from-esm@​2.0.0
	figures@​6.1.0
	read-package-up@​12.0.0
	hook-std@​4.0.0
	get-stream@​6.0.1
	tempy@​3.2.0
	execa@​9.6.1
	debug@​4.4.3
	@​semantic-release/​commit-analyzer@​13.0.1
	micromatch@​4.0.8
	env-ci@​11.2.0
	testdouble@​3.20.2
	fs-extra@​11.3.5
	ava@​8.0.1
	cosmiconfig@​9.0.1
	sinon@​22.0.0
	prettier@​3.8.3
	hosted-git-info@​9.0.3
	semver@​7.8.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @pnpm/network.ca-file is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@semantic-release/commit-analyzer@13.0.1 → npm/@pnpm/network.ca-file@1.0.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pnpm/network.ca-file@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm execa is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/execa@9.6.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/execa@9.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm highlight.js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@semantic-release/commit-analyzer@13.0.1 → npm/highlight.js@10.7.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/highlight.js@10.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/cosmiconfig@9.0.1 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm npm is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@semantic-release/commit-analyzer@13.0.1 → npm/npm@11.16.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm npm is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@semantic-release/commit-analyzer@13.0.1 → npm/npm@11.16.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[gr2m]

Phase 6: Release and Rollout

Objective: Ship safely with clear communication and rollback options.

Checklist:

• Publish @semantic-release/core initial version with release notes.
• Publish updated semantic-release wrapper release with explicit compatibility notes.
• Monitor issue tracker for integration and plugin-resolution regressions.
• Prepare patch follow-up path for wrapper compatibility issues.
• Collect user feedback on core composability and CLI extension experience.

Deliverables:

• Stable release of both packages.
• Post-release triage checklist executed.

I would add a follow up issue with the above checklist as deliverable