Evan Carroll

@rene84 I had this working in my by fork, fyi. https://github.com/semantic-release/semantic-release/compare/master...EvanCarroll:semantic-release:master#diff-3d464ef33ea10184a2faab420f7980eaedb53ad4c88aeb788fbc5a932eeebf16R19

@flickerfly That comment would be more useful with a link and some research. ;) If you need tags, you need more than `CI_JOB_TOKEN`. That's not to say it's not useful....

While I do believe this is a security bug because of the implications on GitHub, it's not technically a security bug as I read it [because of this text,](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-codeowners-to-monitor-changes) >...

> Does --ignore-scripts actually not work with pack/publish, regardless of whether it's documented? I would assume it works everywhere. No, it doesn't work. =( But we're in agreement, it should....

Maybe as a side note, if we're all in agreement that Husky is crazy in even suggesting this we can at least send them an issue to [remove this from...

I've never seen `npm pack` referred to as a build stage, and that's not how [the docs refer to it](https://docs.npmjs.com/cli/v6/commands/npm-pack), > Create a tarball from a package I think everything...

I don't understand why you'd want that. As compared to just running `npm run build; npm pack`. I've never seen anyone calling `build` from `pack`. But either way, we're in...

> Why should they have that option? Unlike npm install, this is your own project's scripts. If you don't want them to run, don't have them in there. The point...

Because security isn't about "lobbying" actors to be good. It's about protecting against innocent mistakes, and malice. Developers need to be able to modify the package.json -- that's how they...

>  This whole project is stupid. Warp is calling their terminal "modern" and doesn't even support the fonts of the gods with ligatures. My terminal will never be closed...