Right now, our main releases are automated through travis. We are manually publishing canary versions for 4.0 as a one-off, but soon (likely 5.0) we'll be moving to semantic-release, meaning all releases will be fully automated and only ever main (not alpha/beta/canary/whatever) releases.
First of all, I'm very sorry you had issues with this incident.
I did the publish together with @lucasfcosta and we did use --tag=canary, but somehow it got published as latest.
You can read more about this incident here
Just want to reiterate for crystal clarity - our solution for preventing this in the future will be semantic-release. We're already rolling out semantic-release to sub-projects. All releases will be handled by semantic-releases - by scanning the commit logs or code for what has changed.
As for backports, I don't think semantic-release has a full solution for backporting - but we haven't backported fixes since I've been here. We effectively (implicitly I suppose) only support the latest version of chai.
Hi @ljharb, first of all I'd like to apologize for this, I'm sorry this caused you problems 😓
Me and @vieiralucas were extra careful when releasing 4.0.0 and we prepared and tested every single command in a dummy package before running them, but before doing the release itself we ended up adding a new tag on the repo for the canary release and this ended up automatic releasing that version as latest.
As it has already been said, I also agree that manual releases are safer, but given the strict rules we've got on other repos for semantic-release I think this problem can also be solved that way.
Thanks for your feedback and sorry again for breaking your build, it's great to hear our user's feedback!
Have a nice day 😄