3.0.0

BREAKING Changes

• Dropped support for node<20.18.0 (#1192 via #1273)
• Dropped support for npm<9 (#1274 via #1273, #1277)

Added

• CLI switch -o as shorthand for --output-file (#1282 via #1288)
• CLI switch --of as shorthand for --outout-format (#1282 via #1288)
• CLI switch --sv as shorthand for --spec-version (#1282 via #1288)

Fixed

• License gathering correctly ignores symlinks and directories (#1290 via #1291)

Runtime Dependencies

• Raised @cyclonedx/cyclonedx-library@^8.0.0, was @^7.0.0 (via #1281)
• Raised commander@^13.1.0, was @^10.0.0 (via #1281, #1288)
• Raised normalize-package-data@^7.0.0, was @^3||^4||^5||^6 (via #1281)

Build

• Use TypeScript v5.8.3 now, was v5.7.3 (via #1267, #1289)

---

What's Changed

• remove node < 20.18 & remove npm < 8.7 by @jkowalleck in #1273
• feat!: drop support for npm<9 by @jkowalleck in #1277
• chore(deps): use npm-run-all2@^7 by @jkowalleck in #1276
• refactors by @jkowalleck in #1278
• chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 in the typescript group by @dependabot in #1267
• deps: bunp runtime 20250330 by @jkowalleck in #1281
• refactor: tune pipes by @jkowalleck in #1280
• chore: slight refactor and coverage with c8 by @jkowalleck in #1285
• chore: cs-fixer own tool by @jkowalleck in #1284
• feat: CLI shorthands by @jkowalleck in #1288
• fix: folder "LICENSES" causes crashes when gathering licenses by @jkowalleck in #1291
• chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 in the typescript group by @dependabot in #1289

Full Changelog: v2.1.0...v3.0.0

2.1.0

Added

• Functionality for workspaces (#1126 via #1212)
  This introduces new CLI options/switches: --workspace, --no-workspaces, --[no-]include-workspace-root.
  See the docs for details.

---

What's Changed

• feat: add support for targetting specific workspaces by @MalickBurger in #1212
• docs: update project contributors by @MalickBurger in #1269
• fix: update json issue in package.json by @MalickBurger in #1270
• tests: additional CLI tests for workspaces by @jkowalleck in #1271

New Contributors

• @MalickBurger made their first contribution in #1212

Full Changelog: v2.0.0...v2.1.0

2.0.0

BREAKING Changes

• CLI option --spec-version defaults to 1.6, was 1.4 (#1173 via #1258)
• Emit $.metadata.tools as components (#1233 via #1235)
  This affects only CycloneDX spec-version 1.5 and later.
• Emitted .purl values might be partially url-encoded (via #1235)
  This is caused by changes on underlying 3rd-party dependency packageurl-js.
• Create dir for output file if not exists (#1241 via #1242)
  This is only a breaking change if you relied on non-existent result paths to cause errors.

Misc

• Raised dependency @cyclonedx/cyclonedx-library@^7.0.0, was @^6.11.0 (via #1235)

---

What's Changed

• refactor: move versionCompare to internal helpers by @jkowalleck in #1256
• refactor: rename properties to cdx by @jkowalleck in #1257
• feat: create dir for output file by @cuhland in #1242
• feat: tools as components by @jkowalleck in #1235
• feat!: CLI option spec-version defaults to 1.6 by @jkowalleck in #1258

Full Changelog: v1.20.0...v2.0.0

1.20.0

Added

• Official support for npm@11 (#1245 via #1249)
• Capability to gather license text evidences (#256 via #1243)
  This feature can be controlled via CLI switch --gather-license-texts.
  This feature is experimental. This feature is disabled per default.

Dependencies

• No longer directly depend on packageurl-js (via #1237)

Build

• Use TypeScript v5.7.3 now, was v5.5.3 (via #1209, #1218, #1255)

---

What's Changed

• chore(deps-dev): bump typescript from 5.5.3 to 5.5.4 in the typescript group by @dependabot in #1209
• tests: WS and project extra unused by @jkowalleck in #1215
• chore(deps-dev): bump typescript from 5.5.4 to 5.6.2 in the typescript group by @dependabot in #1218
• chore: collect demo data with npm-ls args by @jkowalleck in #1230
• tests: restructure integration tests by @jkowalleck in #1231
• tests: less unnessessarry tests by @jkowalleck in #1236
• chore(deps): no longer depend on dependency packageurl-js by @jkowalleck in #1237
• feat: Add license text as evidence by @cuhland in #1243
• style: reorder CLI params by @jkowalleck in #1247
• build: do not bundle sourvcemaps by @jkowalleck in #1248
• refactor: copy/past mime-helpers by @jkowalleck in #1246
• feat: support npm11 by @jkowalleck in #1249
• refactor: structuredClonePolyfill to helpers by @jkowalleck in #1250
• chore(deps-dev): bump typescript from 5.6.2 to 5.7.3 in the typescript group by @dependabot in #1255

New Contributors

• @cuhland made their first contribution in #1243

Full Changelog: v1.19.3...v1.20.0

1.19.3

Dependencies

• Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0, was @^6.6.0 (via #1205)
  This was done to incorporate non-breaking upstream changes and fixes.

Build

• Use TypeScript v5.5.3 now, was v5.4.5 (via #1201)

---

What's Changed

• Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0 by @jkowalleck in #1205
• chore(deps): bum [email protected] by @jkowalleck in #1206
• chore(deps-dev): bump typescript from 5.4.5 to 5.5.3 in the typescript group across 1 directory by @dependabot in #1201

Full Changelog: v1.19.2...v1.19.3

1.19.2

Fixed

• CycloneDX externalReferences for vcs type (#1198 via #1202)
• CycloneDX property cdx:npm:package:path's value on Windows systems (via #1203)

---

What's Changed

• tests: tests are less noisy by @jkowalleck in #1194
• tests: more tests by @jkowalleck in #1195
• fix: path property on windows by @jkowalleck in #1203
• fix: vcs url git ssh by @jkowalleck in #1202

Full Changelog: v1.19.0...v1.19.2

1.19.0

Changed

• Try to sanitize distribution URLs (via #1187, #1191)

Added

• More debug output when it comes to package manifest loading (via #1189)

Misc

• Added direct dependency hosted-git-info@^4||^5||^6||^7 (via #1191)
  This is also a transitive dependency via already existing direct dependency normalize-package-data.

---

What's Changed

• test: alternative package registry by @jkowalleck in #1186
• feat: try sanitize dist urls by @jkowalleck in #1187
• feat: more debug when loading package manifests by @jkowalleck in #1189
• feat: git url sanitation by @jkowalleck in #1191

Full Changelog: v1.18.0...v1.19.0

1.18.0

Added

• Licenses acknowledgement might be populated (#1171 via #1183)

Misc

• Raised dependency @cyclonedx/cyclonedx-library@^6.6.0, was @^6.5.0 (via #1183)

---

What's Changed

• chore(ci): fix macos runners by @jkowalleck in #1176
• ci: modernize artifact action by @jkowalleck in #1178
• ci: use node22 by @jkowalleck in #1179
• chore: reduce duplicate test beds by @jkowalleck in #1181
• feat: license acknowledgement by @jkowalleck in #1183

Full Changelog: v1.17.0...v1.18.0

1.17.0

Added support for CycloneDX Specification-1.6.

Changed

• This tool explicitly supports CycloneDX Specification-1.6 now (via #1175)

Added

• CLI switch --spec-version now supports value 1.6 to reflect CycloneDX Specification-1.6 (via #1175)
  Default value for that option is unchanged - still 1.4.

Build

• Use TypeScript v5.4.5 now, was v5.4.2 (via #1167)

---

What's Changed

• docs: add CycloneDX 1.6 to README by @XSpielinbox in #1174
• feat: explicitely support CycloneDX 1.6 by @jkowalleck in #1175
• chore(deps-dev): bump typescript from 5.4.2 to 5.4.5 in the typescript group by @dependabot in #1167

New Contributors

• @XSpielinbox made their first contribution in #1174

Full Changelog: v1.16.2...v1.17.0

1.16.2

Style

• Applied latest code standards (via #1149)

Build

• Use TypeScript v5.4.2 now, was v5.3.3 (via #1160)

---

What's Changed

• refactor: fix typescript-eslint annotations by @jkowalleck in #1146
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1149
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1152
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1157
• tests: run with latest CDX spec-version by @jkowalleck in #1158
• chore(deps): bump softprops/action-gh-release from 1 to 2 by @dependabot in #1159
• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1160

Full Changelog: v1.16.1...v1.16.2