4.1.1

Fixed

• Create output dir properly if needed (via #1377)

---

What's Changed

• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1375
• chore(deps): bump knip from 5.66.3 to 5.66.4 in /tools/test-dependencies by @dependabot[bot] in #1376
• refactor: simplify and modernize by @jkowalleck in #1378
• fix: properly create outpur dir if needed by @jkowalleck in #1377
• refactor: remove structuredClonePolyfill by @jkowalleck in #1381
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1379
• chore(deps): bump knip from 5.66.4 to 5.68.0 in /tools/test-dependencies by @dependabot[bot] in #1380
• chore: dependabot dir adjustments by @jkowalleck in #1382

Full Changelog: v4.1.0...v4.1.1

4.1.1-rc.0

Signed-off-by: jkowalleck <jkowalleck@users.noreply.github.com>

4.1.0

• Added
  • Reproducible SBOM results have Metadata's property cdx:reproducible populated (#1054 via #1373)
    See the official property taxonomy cdx for details.
• Build
  • Use TypeScript v5.9.3 now, was v5.9.2 (via #1356)

---

What's Changed

• chore(deps): bump knip from 5.63.1 to 5.64.1 in /tools/test-dependencies by @dependabot[bot] in #1355
• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1354
• chore(deps): bump knip from 5.64.1 to 5.64.3 in /tools/test-dependencies by @dependabot[bot] in #1360
• chore(deps-dev): bump jest from 30.1.3 to 30.2.0 in the jest group across 1 directory by @dependabot[bot] in #1358
• chore(deps): bump the eslint group across 1 directory with 5 updates by @dependabot[bot] in #1359
• chore(deps-dev): bump typescript from 5.9.2 to 5.9.3 in the typescript group across 1 directory by @dependabot[bot] in #1356
• chore: package-manager-cache: false by @jkowalleck in #1361
• chore(deps): bump knip from 5.64.3 to 5.66.0 in /tools/test-dependencies by @dependabot[bot] in #1364
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1362
• chore(deps): bump knip from 5.66.0 to 5.66.1 in /tools/test-dependencies by @dependabot[bot] in #1365
• chore: remove lift config by @jkowalleck in #1366
• chore(deps): bump eslint-plugin-jsdoc from 61.1.4 to 61.1.5 in /tools/code-style in the eslint group across 1 directory by @dependabot[bot] in #1367
• chore(deps): bump actions/download-artifact from 5 to 6 by @dependabot[bot] in #1369
• chore(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #1370
• chore(deps): bump knip from 5.66.1 to 5.66.3 in /tools/test-dependencies by @dependabot[bot] in #1372
• chore(deps): bump the eslint group across 1 directory with 2 updates by @dependabot[bot] in #1371
• feat: render property cdx:reproducible by @AradhyaTiwari10 in #1373

New Contributors

• @AradhyaTiwari10 made their first contribution in #1373

Full Changelog: v4.0.3...v4.1.0

4.0.3

Fixed

• If reproducible flag enabled, SBOM result's bom-ref for alias/duplicated components are reproducible (#1351 via #1352)

---

What's Changed

• fix: have unique bomRefs for duplicated package installs by @jkowalleck in #1352
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1348
• chore(deps): bump the eslint group across 1 directory with 5 updates by @dependabot[bot] in #1353

Full Changelog: v4.0.2...v4.0.3

4.0.2

Maintenance release

Runtime Dependencies

• Support @cyclonedx/cyclonedx-library@^9.0.0, was @^8.4.0 (via #1349)

---

What's Changed

• chore(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in #1346
• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1347
• feat: support cyclonedx-library v9.0.0 by @jkowalleck in #1349

Full Changelog: v4.0.1...v4.0.2

4.0.1

Runtime Dependencies

• Support normalize-package-data@^8.0.0, was @^7.0.0 (via #1327)

Build

• Use TypeScript v5.9.2 now, was v5.8.3 (via #1332)

---

What's Changed

• chore(dev-deps): update dev-tools deps by @jkowalleck in #1310
• chore(deps): bump typescript-eslint from 8.27.0 to 8.34.1 in /tools/code-style by @dependabot[bot] in #1312
• chore(deps): bump the eslint group across 1 directory with 6 updates by @dependabot[bot] in #1311
• chore(deps): bump typescript-eslint from 8.34.1 to 8.35.0 in /tools/code-style by @dependabot[bot] in #1315
• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1313
• chore(deps-dev): bump jest from 30.0.2 to 30.0.3 in the jest group across 1 directory by @dependabot[bot] in #1314
• chore(deps-dev): bump jest from 30.0.3 to 30.0.4 in the jest group across 1 directory by @dependabot[bot] in #1317
• chore: QA tool to detect missing dependencies by @jkowalleck in #1321
• chore(deps): bump the eslint group across 1 directory with 6 updates by @dependabot[bot] in #1322
• chore(deps): bump knip from 5.61.3 to 5.62.0 in /tools/test-dependencies by @dependabot[bot] in #1324
• tests: omit dev/optional/peer by @jkowalleck in #1329
• chore(deps-dev): bump jest from 30.0.4 to 30.0.5 in the jest group across 1 directory by @dependabot[bot] in #1326
• refactor: rename private makeExtRefDistFromPachageData -> makeExtRefDistFromPackageData by @jkowalleck in #1331
• tests: refactor cliWrapper -> cliWrapperPath by @jkowalleck in #1334
• chore(deps): bump the eslint group across 1 directory with 5 updates by @dependabot[bot] in #1333
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1335
• chore(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #1336
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #1337
• chore(deps): bump knip from 5.62.0 to 5.63.0 in /tools/test-dependencies by @dependabot[bot] in #1339
• chore(deps-dev): bump jest from 30.0.5 to 30.1.1 in the jest group across 1 directory by @dependabot[bot] in #1341
• chore(deps): bump the eslint group across 1 directory with 5 updates by @dependabot[bot] in #1342
• chore(deps-dev): bump typescript from 5.8.3 to 5.9.2 in the typescript group across 1 directory by @dependabot[bot] in #1332
• chore(deps): support normalize-package-data v8.0.0 by @dependabot[bot] in #1327
• chore(deps): bump knip from 5.63.0 to 5.63.1 in /tools/test-dependencies by @dependabot[bot] in #1345
• chore(deps): bump the eslint group across 1 directory with 2 updates by @dependabot[bot] in #1343
• chore(deps-dev): bump jest from 30.1.1 to 30.1.3 in the jest group across 1 directory by @dependabot[bot] in #1344

Full Changelog: v4.0.0...v4.0.1

4.0.0

BREAKING Changes

• SBOM results might have slightly changed (via #1307)

Fixed

• External dependency edge-cases are now properly nested (via #1307)

Changed

• SBOM result's bom-ref is prefixed with parent-component's one to ensure uniqueness (via #1307)
• Uses only trusted data from npm-ls internally (via #1307)
  No changes in data quality are expected.

---

What's Changed

• tests: fix flat prepared tests by @jkowalleck in #1308
• feat: prefer trusted data, fix external deps edge-cases by @jkowalleck in #1307
• chore(deps-dev): bump jest from 30.0.0 to 30.0.2 in the jest group by @dependabot in #1309

Full Changelog: v3.1.0...v4.0.0

3.1.0

Changed

• Utilizes license file gatherer of @cyclonedx/cyclonedx-library, previously used own implementation (via #1303)

Runtime Dependencies

• Raised @cyclonedx/cyclonedx-library@^8.4.0, was @^8.0.0 (via #1301, #1303)
• Raised commander@^14.0.0, was @^13.1.0 (via #1297)

---

What's Changed

• chore(deps-dev): bump npm-run-all2 from 7.0.2 to 8.0.1 by @dependabot in #1294
• chore: add workflow permissions by @jkowalleck in #1298
• chore(deps): bump commander from 13.1.0 to 14.0.0 by @dependabot in #1297
• ci: use node24 by @jkowalleck in #1299
• feat: gather more info for bundled dependencies by @jkowalleck in #1301
• feat: use CDX-library's license evidence gathering by @jkowalleck in #1303
• chore(deps-dev): bump jest from 29.7.0 to 30.0.0 in the jest group by @dependabot in #1305

Full Changelog: v3.0.0...v3.1.0

3.0.1-alpha.0

Signed-off-by: jkowalleck <jkowalleck@users.noreply.github.com>

3.0.0

BREAKING Changes

• Dropped support for node<20.18.0 (#1192 via #1273)
• Dropped support for npm<9 (#1274 via #1273, #1277)

Added

• CLI switch -o as shorthand for --output-file (#1282 via #1288)
• CLI switch --of as shorthand for --outout-format (#1282 via #1288)
• CLI switch --sv as shorthand for --spec-version (#1282 via #1288)

Fixed

• License gathering correctly ignores symlinks and directories (#1290 via #1291)

Runtime Dependencies

• Raised @cyclonedx/cyclonedx-library@^8.0.0, was @^7.0.0 (via #1281)
• Raised commander@^13.1.0, was @^10.0.0 (via #1281, #1288)
• Raised normalize-package-data@^7.0.0, was @^3||^4||^5||^6 (via #1281)

Build

• Use TypeScript v5.8.3 now, was v5.7.3 (via #1267, #1289)

---

What's Changed

• remove node < 20.18 & remove npm < 8.7 by @jkowalleck in #1273
• feat!: drop support for npm<9 by @jkowalleck in #1277
• chore(deps): use npm-run-all2@^7 by @jkowalleck in #1276
• refactors by @jkowalleck in #1278
• chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 in the typescript group by @dependabot in #1267
• deps: bunp runtime 20250330 by @jkowalleck in #1281
• refactor: tune pipes by @jkowalleck in #1280
• chore: slight refactor and coverage with c8 by @jkowalleck in #1285
• chore: cs-fixer own tool by @jkowalleck in #1284
• feat: CLI shorthands by @jkowalleck in #1288
• fix: folder "LICENSES" causes crashes when gathering licenses by @jkowalleck in #1291
• chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 in the typescript group by @dependabot in #1289

Full Changelog: v2.1.0...v3.0.0