For many years, NSS has followed semver with branch protection and reviews. Since December 2025, CI was changed to publish hash-versioned packages on every push and PR, creating new versions on each commit regardless of whether functionality has changed.

Suggested fix:

• Remove the hash-based npm-publish-build job, or
• Add a version-exists check to prevent duplicate publishes.