chore(ci): include sbom in the node-runtime-worker-thread package MONGOSH-1856 (#2430)

gagik · web-flow · commit 2b03591a8cde · 2025-04-08T14:48:45.000+02:00
Adds appending a purls file to the prepublishing step of the node-runtime-worker-thread.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -100,7 +100,7 @@
   "devDependencies": {
     "@babel/compat-data": "^7.26.8",
     "@mongodb-js/monorepo-tools": "^1.1.10",
-    "@mongodb-js/sbom-tools": "^0.7.0",
+    "@mongodb-js/sbom-tools": "^0.7.2",
     "@pkgjs/nv": "^0.2.2",
     "@types/chai": "^4.2.5",
     "@types/mocha": "^5.2.7",
diff --git a/packages/cli-repl/package.json b/packages/cli-repl/package.json
@@ -98,7 +98,7 @@
     "mongodb": "^6.14.2",
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
-    "@mongodb-js/sbom-tools": "^0.7.0",
+    "@mongodb-js/sbom-tools": "^0.7.2",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@types/ansi-escape-sequences": "^4.0.0",
     "@types/js-yaml": "^4.0.5",
diff --git a/packages/node-runtime-worker-thread/.prettierignore b/packages/node-runtime-worker-thread/.prettierignore
@@ -4,3 +4,4 @@
 **/test/fixtures
 **/*.nocov*
 **/*.wxs
+**/.sbom
diff --git a/packages/node-runtime-worker-thread/package.json b/packages/node-runtime-worker-thread/package.json
@@ -29,13 +29,16 @@
     "webpack-build": "npm run compile && webpack --mode production",
     "webpack-build-dev": "npm run compile && webpack --mode development",
     "compile": "tsc -p tsconfig.json",
-    "prepublish": "npm run webpack-build",
+    "prepublish": "npm run webpack-build && npm run create-purls-file",
     "prettier": "prettier",
-    "reformat": "npm run prettier -- --write . && npm run eslint --fix"
+    "reformat": "npm run prettier -- --write . && npm run eslint --fix",
+    "create-purls-file": "npm run write-node-js-dep && node ../../scripts/create-purls.js .sbom/dependencies.json .sbom/node-js-dep.json > dist/purls.txt",
+    "write-node-js-dep": "mkdir -p .sbom && node ../../scripts/write-nodejs-dep > .sbom/node-js-dep.json"
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
+    "@mongodb-js/sbom-tools": "^0.7.2",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@mongosh/browser-runtime-core": "3.8.0",
     "@mongosh/browser-runtime-electron": "3.8.0",
diff --git a/packages/node-runtime-worker-thread/webpack.config.js b/packages/node-runtime-worker-thread/webpack.config.js
@@ -2,16 +2,22 @@
 const { merge } = require('webpack-merge');
 const path = require('path');
 
+const { WebpackDependenciesPlugin } = require('@mongodb-js/sbom-tools');
 const baseWebpackConfig = require('../../config/webpack.base.config');
 
+const webpackDependenciesPlugin = new WebpackDependenciesPlugin({
+  outputFilename: path.resolve(__dirname, '.sbom', 'dependencies.json'),
+  includeExternalProductionDependencies: true,
+});
+
 /** @type import('webpack').Configuration */
 const config = {
   output: {
     path: path.resolve(__dirname, 'dist'),
     filename: '[name].js',
     libraryTarget: 'umd',
   },
-
+  plugins: [webpackDependenciesPlugin],
   externals: {
     'mongodb-client-encryption': 'commonjs2 mongodb-client-encryption',
     kerberos: 'commonjs2 kerberos',
