4.0.0

BREAKING Changes

• SBOM results might have slightly changed (via #1307)

Fixed

• External dependency edge-cases are now properly nested (via #1307)

Changed

• SBOM result's bom-ref is prefixed with parent-component's one to ensure uniqueness (via #1307)
• Uses only trusted data from npm-ls internally (via #1307)
  No changes in data quality are expected.

---

What's Changed

• tests: fix flat prepared tests by @jkowalleck in #1308
• feat: prefer trusted data, fix external deps edge-cases by @jkowalleck in #1307
• chore(deps-dev): bump jest from 30.0.0 to 30.0.2 in the jest group by @dependabot in #1309

Full Changelog: v3.1.0...v4.0.0

3.1.0

Changed

• Utilizes license file gatherer of @cyclonedx/cyclonedx-library, previously used own implementation (via #1303)

Runtime Dependencies

• Raised @cyclonedx/cyclonedx-library@^8.4.0, was @^8.0.0 (via #1301, #1303)
• Raised commander@^14.0.0, was @^13.1.0 (via #1297)

---

What's Changed

• chore(deps-dev): bump npm-run-all2 from 7.0.2 to 8.0.1 by @dependabot in #1294
• chore: add workflow permissions by @jkowalleck in #1298
• chore(deps): bump commander from 13.1.0 to 14.0.0 by @dependabot in #1297
• ci: use node24 by @jkowalleck in #1299
• feat: gather more info for bundled dependencies by @jkowalleck in #1301
• feat: use CDX-library's license evidence gathering by @jkowalleck in #1303
• chore(deps-dev): bump jest from 29.7.0 to 30.0.0 in the jest group by @dependabot in #1305

Full Changelog: v3.0.0...v3.1.0

3.0.1-alpha.0

Signed-off-by: jkowalleck <[email protected]>

3.0.0

BREAKING Changes

• Dropped support for node<20.18.0 (#1192 via #1273)
• Dropped support for npm<9 (#1274 via #1273, #1277)

Added

• CLI switch -o as shorthand for --output-file (#1282 via #1288)
• CLI switch --of as shorthand for --outout-format (#1282 via #1288)
• CLI switch --sv as shorthand for --spec-version (#1282 via #1288)

Fixed

• License gathering correctly ignores symlinks and directories (#1290 via #1291)

Runtime Dependencies

• Raised @cyclonedx/cyclonedx-library@^8.0.0, was @^7.0.0 (via #1281)
• Raised commander@^13.1.0, was @^10.0.0 (via #1281, #1288)
• Raised normalize-package-data@^7.0.0, was @^3||^4||^5||^6 (via #1281)

Build

• Use TypeScript v5.8.3 now, was v5.7.3 (via #1267, #1289)

---

What's Changed

• remove node < 20.18 & remove npm < 8.7 by @jkowalleck in #1273
• feat!: drop support for npm<9 by @jkowalleck in #1277
• chore(deps): use npm-run-all2@^7 by @jkowalleck in #1276
• refactors by @jkowalleck in #1278
• chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 in the typescript group by @dependabot in #1267
• deps: bunp runtime 20250330 by @jkowalleck in #1281
• refactor: tune pipes by @jkowalleck in #1280
• chore: slight refactor and coverage with c8 by @jkowalleck in #1285
• chore: cs-fixer own tool by @jkowalleck in #1284
• feat: CLI shorthands by @jkowalleck in #1288
• fix: folder "LICENSES" causes crashes when gathering licenses by @jkowalleck in #1291
• chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 in the typescript group by @dependabot in #1289

Full Changelog: v2.1.0...v3.0.0

2.1.0

Added

• Functionality for workspaces (#1126 via #1212)
  This introduces new CLI options/switches: --workspace, --no-workspaces, --[no-]include-workspace-root.
  See the docs for details.

---

What's Changed

• feat: add support for targetting specific workspaces by @MalickBurger in #1212
• docs: update project contributors by @MalickBurger in #1269
• fix: update json issue in package.json by @MalickBurger in #1270
• tests: additional CLI tests for workspaces by @jkowalleck in #1271

New Contributors

• @MalickBurger made their first contribution in #1212

Full Changelog: v2.0.0...v2.1.0

2.0.0

BREAKING Changes

• CLI option --spec-version defaults to 1.6, was 1.4 (#1173 via #1258)
• Emit $.metadata.tools as components (#1233 via #1235)
  This affects only CycloneDX spec-version 1.5 and later.
• Emitted .purl values might be partially url-encoded (via #1235)
  This is caused by changes on underlying 3rd-party dependency packageurl-js.
• Create dir for output file if not exists (#1241 via #1242)
  This is only a breaking change if you relied on non-existent result paths to cause errors.

Misc

• Raised dependency @cyclonedx/cyclonedx-library@^7.0.0, was @^6.11.0 (via #1235)

---

What's Changed

• refactor: move versionCompare to internal helpers by @jkowalleck in #1256
• refactor: rename properties to cdx by @jkowalleck in #1257
• feat: create dir for output file by @cuhland in #1242
• feat: tools as components by @jkowalleck in #1235
• feat!: CLI option spec-version defaults to 1.6 by @jkowalleck in #1258

Full Changelog: v1.20.0...v2.0.0

1.20.0

Added

• Official support for npm@11 (#1245 via #1249)
• Capability to gather license text evidences (#256 via #1243)
  This feature can be controlled via CLI switch --gather-license-texts.
  This feature is experimental. This feature is disabled per default.

Dependencies

• No longer directly depend on packageurl-js (via #1237)

Build

• Use TypeScript v5.7.3 now, was v5.5.3 (via #1209, #1218, #1255)

---

What's Changed

• chore(deps-dev): bump typescript from 5.5.3 to 5.5.4 in the typescript group by @dependabot in #1209
• tests: WS and project extra unused by @jkowalleck in #1215
• chore(deps-dev): bump typescript from 5.5.4 to 5.6.2 in the typescript group by @dependabot in #1218
• chore: collect demo data with npm-ls args by @jkowalleck in #1230
• tests: restructure integration tests by @jkowalleck in #1231
• tests: less unnessessarry tests by @jkowalleck in #1236
• chore(deps): no longer depend on dependency packageurl-js by @jkowalleck in #1237
• feat: Add license text as evidence by @cuhland in #1243
• style: reorder CLI params by @jkowalleck in #1247
• build: do not bundle sourvcemaps by @jkowalleck in #1248
• refactor: copy/past mime-helpers by @jkowalleck in #1246
• feat: support npm11 by @jkowalleck in #1249
• refactor: structuredClonePolyfill to helpers by @jkowalleck in #1250
• chore(deps-dev): bump typescript from 5.6.2 to 5.7.3 in the typescript group by @dependabot in #1255

New Contributors

• @cuhland made their first contribution in #1243

Full Changelog: v1.19.3...v1.20.0

1.19.3

Dependencies

• Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0, was @^6.6.0 (via #1205)
  This was done to incorporate non-breaking upstream changes and fixes.

Build

• Use TypeScript v5.5.3 now, was v5.4.5 (via #1201)

---

What's Changed

• Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0 by @jkowalleck in #1205
• chore(deps): bum [email protected] by @jkowalleck in #1206
• chore(deps-dev): bump typescript from 5.4.5 to 5.5.3 in the typescript group across 1 directory by @dependabot in #1201

Full Changelog: v1.19.2...v1.19.3

1.19.2

Fixed

• CycloneDX externalReferences for vcs type (#1198 via #1202)
• CycloneDX property cdx:npm:package:path's value on Windows systems (via #1203)

---

What's Changed

• tests: tests are less noisy by @jkowalleck in #1194
• tests: more tests by @jkowalleck in #1195
• fix: path property on windows by @jkowalleck in #1203
• fix: vcs url git ssh by @jkowalleck in #1202

Full Changelog: v1.19.0...v1.19.2

1.19.0

Changed

• Try to sanitize distribution URLs (via #1187, #1191)

Added

• More debug output when it comes to package manifest loading (via #1189)

Misc

• Added direct dependency hosted-git-info@^4||^5||^6||^7 (via #1191)
  This is also a transitive dependency via already existing direct dependency normalize-package-data.

---

What's Changed

• test: alternative package registry by @jkowalleck in #1186
• feat: try sanitize dist urls by @jkowalleck in #1187
• feat: more debug when loading package manifests by @jkowalleck in #1189
• feat: git url sanitation by @jkowalleck in #1191

Full Changelog: v1.18.0...v1.19.0