Releases · CycloneDX/cyclonedx-node-npm

17 May 17:31

v1.12.0

6020911

1.12.0

Based on OWASP Software Component Verification Standard for Software Bill of Materials (SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:

2.15 — SPDX license expression detection improved (via #726)
2.18 — SHA-1 integrity hash detection added (#699 via #735)

Changes

SPDX license expression detection improved (via #726)
Previously, some expressions were not properly detected, so they were marked as named-license in the SBOM results.
They should be marked as expression, now.

Added

Added detection for package integrity with SHA-1 (#699 via #735)

Misc

Raised dependency @cyclonedx/cyclonedx-library@^2.0.0, was @^1.14.0 (via #726)

Full Changelog: v1.11.0...v1.12.0

Assets 2

27 Apr 08:12

github-actions

v1.11.0

f464035

1.11.0

Added

SBOM result might be validated (via #660)
This feature is enabled per default and can be disabled via CLI switch --no-validate.
Validation is skipped, if requirements are not met. Requires transitive optional dependencies

Full Changelog: v1.10.0...v1.11.0

Assets 2

17 Apr 10:29

github-actions

v1.10.0

368d081

1.10.0

Added

SBOM result might have component.scope=optional populated for OptionalDependencies (#645 via #657)

Fixed

DevDependencies that are also required by OptionalDependencies correctly have the property cdx:npm:package:development populated in SBOM results (#645 via #657)
DevDependencies that are also required by OptionalDependencies are correctly omitted from SBOM results, when the CLI switch for omitting "dev" and "optional" are set (#645 via #657)

Docs

Describe internal NPM executable detection in README (via #647)

Build

Use TypeScript v5.0.4 now, was v4.9.5 (via #638)

Full Changelog: v1.9.2...v1.10.0

New Contributors

@igord made their first contribution in #647

Contributors

igord

Assets 2

30 Mar 14:26

github-actions

v1.9.2

3056b93

1.9.2

Fixed

No longer omit components' version's buildID (#551 via #597)
Fixed for NPM>=7 only. NPM6 omits this information in the first place, still.

Misc

Utilize SerialNumber generator from @cyclonedx/cyclonedx-library@^1.13 (via #599)
The previously used internal code was donated to that library.

Full Changelog: v1.9.1...v1.9.2

Assets 2

15 Mar 12:53

github-actions

v1.9.1

62ebef0

1.9.1

Docs

added section "How it works" to the README (via #563)

Full Changelog: v1.9.0...v1.9.1

Assets 2

03 Mar 09:10

github-actions

v1.9.0

8c2fbc7

1.9.0

Changed

Detected node packages' metadata are now normalized, before translation to SBOM components happens. (#536 via #537)
This might increase the quality of SBOM results.

Full Changelog: v1.8.0...v1.9.0

Assets 2