All notable changes to this project will be documented in this file.

• BREAKING changes
  • Removed deprecated symbols
  • Removed PackageUrl factories
  • No longer use external standards' implementations directly
• Removed
  • Entrypoint Builders (via #1377)
  • Entrypoint Factories (via #1377)
  • Entrypoint Utils (via #1377)
  • Entrypoint Contrib/PackageUrl (via #1378)
  • Deprecated symbol Builders (#1346 via #1377)
  • Deprecated symbol Builders.FromNodePackageJson (#1346 via #1377)
  • Deprecated symbol Builders.FromNodePackageJson.ToolBuilder (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Builders.ToolBuilder instead.
  • Deprecated symbol Builders.FromNodePackageJson.ComponentBuilder (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Builders.ComponentBuilder instead.
  • Deprecated symbol Factories (#1346 via #1377)
  • Deprecated symbol Factories.FromNodePackageJson (#1346 via #1377)
  • Deprecated symbol Factories.FromNodePackageJson.ExternalReferenceFactory (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Factories.ExternalReferenceFactory instead.
  • Deprecated symbol Factories.FromNodePackageJson.PackageUrlFactory (#1346 via #1377)
    Use packageurl-js downstream.
  • Deprecated symbol Factories.LicenseFactory (#1346, #1348 via #1377, #1378)
    Use Contrib.License.Factories.LicenseFactory instead.
  • Deprecated symbol Factories.PackageUrlFactory (#1346 via #1377)
    Use packageurl-js downstream.
  • Deprecated symbol Types.NodePackageJson (#1346, #1348 via #1377, #1378)
    Use Contrib.FromNodePackageJson.Types.NodePackageJson instead.
  • Deprecated symbol Types.assertNodePackageJson (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Types.assertNodePackageJson instead.
  • Deprecated symbol Types.isNodePackageJson (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Types.isNodePackageJson instead.
  • Deprecated symbol Utils (#1346 via #1377)
  • Deprecated symbol Utils.BomUtility (#1346 via #1377)
  • Deprecated symbol Utils.BomUtility.randomSerialNumber (#1346 via #1377)
    Use Contrib.Bom.Utils.randomSerialNumber instead.
  • Deprecated symbol Utils.LicenseUtility (#1346 via #1377)
  • Deprecated symbol Utils.LicenseUtility.FsUtils (#1346 via #1377)
    Use Contrib.License.Utils.FsUtils instead.
  • Deprecated symbol Utils.LicenseUtility.PathUtils (#1346 via #1377)
  • Use Contrib.License.Utils.PathUtils instead.
  • Deprecated symbol Utils.LicenseUtility.FileAttachment (#1346 via #1377)
    Use Contrib.License.Utils.FileAttachment instead.
  • Deprecated symbol Utils.LicenseUtility.ErrorReporter (#1346 via #1377)
    Use Contrib.License.Utils.ErrorReporter instead.
  • Deprecated symbol Utils.LicenseUtility.LicenseEvidenceGatherer (#1346 via #1377)
    Use Contrib.License.Utils.LicenseEvidenceGatherer instead.
  • Deprecated symbol Utils.NpmjsUtility (#1346 via #1377)
  • Deprecated symbol Utils.NpmjsUtility.parsePackageIntegrity (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Utils.parsePackageIntegrity instead.
  • Deprecated symbol Utils.NpmjsUtility.defaultRegistryMatcher (#1346 via #1377)
    Use Contrib.FromNodePackageJson.Utils.defaultRegistryMatcher instead.
  • Symbol Contrib.PackageUrl.Factories.PackageUrlFactory (#1348 via #1378)
    Use packageurl-js downstream.
  • Symbol Contrib.FromNodePackageJson.Factories.PackageUrlFactory (#1348 via #1378)
    Use packageurl-js downstream.
  • Symbol SPDX.isValidSpdxLicenseExpression (#1348 via #1382)
    Use package spdx-expression-parse instead.
• Changed
  • Component.purl is a string now, was PackaheUrl (#1348 via #1379)
  • Constructor of Contrib.License.Factories.LicenseFactory got an injectable argument spdxExpressionValidate for validating SPDX License Expressions (#1348 via #1382)
    Suggested implementation is spdx-expression-parse.
  • Pulled SPDX license IDs v1.0-3.28.0 (#1386 via #1395)
  • Hardened schema validators (via #1396)
• Dependencies
  • Dependency packageurl-js became a suggested (optional peer-dependency) library (#1348 via #1378)
    You may use it to craft and parse PackageURLs downstream.
  • Dependency spdx-expression-parse became a suggested (optional peer-dependency) library (#1348 via #1382)
    Used as an injectable in Contrib.License.Factories.LicenseFactory.constructor.
• Chore
  • Set dev-engines in package.json (#1301 via #1380)

• Added
  • Classes Models.NamedLicense and Models.SpdxLicense support properties as per CycloneDX 1.5 (via #1383)
• Build
  • Use webpack 5.105.3 now, was v5.103.0 (via #1360, #1374, #1390)

• Fixed
  • Type declarations for deprecated symbols support usage as types (#1350 via #1351)
• Refactor
  • Deprecated symbols turned from re-exports into re-declares (via #1351)
    Note: this change adds runtime overhead for the sake of documentation.

• Added
  • New entry points for /Contrib and known submodules (via #1343)
    See package.json::exports for details.
• Changes
  • Moved non‑standard implementations to Contrib area (#1344 via #1343)
• Deprecated
  • Certain exports have been deprecated; downstream imports should be updated to the new locations (#1344 via #1343)
    Note: the symbols themselves remain supported. See documentation and the "Refactored" section below for details.
• Refactor
  • The following symbols were moved. (#1344 via #1343)
    The symbols are still import-able through their old location.
    • OLD -> NEW
    • Builders.FromNodePackageJson -> Contrib.FromNodePackageJson.Builders
    • Factories.FromNodePackageJson -> Contrib.FromNodePackageJson.Factories
    • Factories.LicenseFactory -> Contrib.License.Factories.LicenseFactory
    • Factories.PackageUrlFactory -> Contrib.PackageUrl.Factories.PackageUrlFactory
    • Types.assertNodePackageJson -> Contrib.FromNodePackageJson.Types.assertNodePackageJson
    • Types.isNodePackageJson -> Contrib.FromNodePackageJson.Types.isNodePackageJson
    • Types.NodePackageJson -> Contrib.FromNodePackageJson.Types.NodePackageJson
    • Utils.BomUtility -> Contrib.Bom.Utils
    • Utils.LicenseUtility -> Contrib.License.Utils
    • Utils.NpmjsUtility -> Contrib.FromNodePackageJson.Utils
• Style
  • Applied latest code style (via #1341)
• Build
  • Use webpack v5.103.0 now, was v5.102.1 (via #1340)

• Added
  • Support CycloneDX 1.7 (#1325 via #1324)

• Dependencies
  • Support optional peer dependency xmlbuilder2@^3.0.2||^4.0.0, was xmlbuilder2@^3.0.2 (via #1321)
• Build
  • Use TypeScript v5.9.3 now, was v5.9.2 (via #1308)
  • Use webpack v5.102.0 now, was v5.101.3 (via #1309)

• BREAKING Changes
  • Optional dependencies became optional peer dependencies (via #1295)
• Added
  • Give downstream users control over optional dependencies (#1294 via #1295)

• Changed
  • Pulled SPDX license IDs v1.0-3.27.0 (via #1293)

• Build
  • Use TypeScript v5.9.2 now, was v5.8.3 (via #1285)
  • Use webpack v5.101.3 now, was v5.99.9 (via #1262, #1267, #1283)

• Added
  • Public export types.NodePackageJson, which is the input type for various factories and builders (via #1263)

• Fixed
  • Type exports for the web (via #1252)
• Added
  • New class Utils.LicenseUtility.LicenseEvidenceGatherer (#1162 via #1249)

• Added
  • Pulled SPDX license IDs v1.0-3.26.0 (via #1248)

• Added
  • factories.FromNodePackageJson.makeExternalReferences() supports "dist" field (#1247 via #1246)
  • New symbols under utils.NpmjsUtility (via #1246)
    • defaultRegistryMatcher
    • parsePackageIntegrity

Support for Node.js v24.

• Dependencies
  • Support libxmljs2@^0.35||^0.37, was @^0.35 (via #1243)
• Build
  • Use TypeScript v5.8.3 now, was v5.8.2 (via #1227)
  • Use webpack v5.99.6 now, was v5.98.0 (via #1229, #1231)
• Misc
  • CI/CT: test also with Node.js v24 (via #1244)

• BREAKING Changes
  • Dropped support for node<20.18.0 (#1081 via #1209)
• Refactor
  • Imports of built-in modules are prefixed with node: (#1198 via #1210)
• Build
  • Use TypeScript v5.8.2 now, was v5.7.2 (via #1204, #1217)
  • Use webpack v5.98.0 now, was v5.97.1 (via #1213)

• Added
  • New type Models.Copyright and class Models.CopyrightRepository (via #1202)
  • New type Models.AttachmentContent (via #1202)
• Changed
  • Replace usage of internals Stringable & SortableStringables with public API (#1192 via #1202)
    This is considered a non-breaking change, as the types are not changed, but made publicly available.
• Style
  • Apply latest code style guide (via #1201)
• Misc
  • Support npm11 (#1191 via #1203)

• BREAKING changes
  • Property Models.Bom.tools is an instance of Models.Tools now (#1152 via #1163)
    Before, it was an instance of Models.ToolRepository.
  • Property Models.Vulnerability.tools is an instance of Models.Tools now (via #1163)
    Before, it was an instance of Models.ToolRepository.
• Added
  • Static function Models.Tool.fromComponent() (via #1163)
  • Static function Models.Tool.fromService() (via #1163)
  • New class Models.Tools (#1152 via #1163)
  • New serialization/normalization for Models.Tools (#1152 via #1163, #1180)
• Changed
  • Serializers and Bom-Normalizers will take changed Models.Bom.tools into account (#1152 via #1163)
  • Serializers and Vulnerability-Normalizers will take changed Models.Vulnerability.tools into account (via #1163)
• Style
  • Apply latest code style guide (via #1170, #1181)
• Dependencies
  • Support libxmljs2@^0.35 (via #1173)
  • Use packageurl-js@^2.0.1, was @>=0.0.6 <0.0.8 || ^1 (via #1142)
• Build
  • Use TypeScript v5.7.2 now, was v5.6.3 (via #1182)

• Dependencies
  • Support libxmljs2@^0.35 (via #1196)

• Added
  • Support CycloneDX 1.6.1 (#1176 via #1177)

• Added
  • Support for services (#1164 via #1165)
  • New class Models.Service (#1164 via #1165)
  • New class Models.ServiceRepository (#1164 via #1165)
  • Class Models.Bom got new property services (#1164 via #1165)
  • Serializers and Bom-Normalizers will take Models.Bom.services into account (#1164 via #1165)
• Build
  • Use webpack v5.96.1 now, was v.95.0 (via #1159)

• Fixed
  • Encode quotation marks in URLs (#1154 via #1155)
• Build
  • Use TypeScript v5.6.3 now, was v5.5.3 (via #1130, #1144, #1150)
  • Use webpack v5.95.0 now, was v5.93.0 (via #1138, #1147)

• Changed
  • Factories.FromNodePackageJson.ExternalReferenceFactory.makeVcs() tries to canonicalize git-URLs (#1119 via #1120)
• Fixed
  • Improved URL sanitizer (via #1121)
• Build
  • Use webpack v5.93.0 now, was v5.92.1 (via #1122)

• Fixed
  • XML: properly handle normalizedString & token (#1098 via #1116)
• Build
  • Use TypeScript v5.5.3 now, was v5.4.5 (via #1108)
  • Use webpack v5.92.1 now, was v5.91.0 (via #1091, #1094)

• Changed
  • Existing Serialize.XmlSerializer.serialize() for Node.js may throw Serialize.MissingOptionalDependencyError (via #1084)
    This is considered a non-breaking change, as the docs always told that any Error may be thrown.
  • Improved the verbose error messages when a functionality failed due to absence of optional/pluggable dependency.
• Added
  • New class Serialize.MissingOptionalDependencyError (via #1084)
• Misc
  • Refactored functionality around optional/pluggable dependencies (via #1083, #1084)
    This was done in preparation for #1079.

Maintenance release.

• Chore
  • The package will be published to GitHub package registry, too. (#1026 via #1078)

• Changed
  • Updated SPDX license list to v3.24.0 (via #1077)

• Fixed
  • Added Factories.PackageUrlFactory's generic type's default back in (via #1076)

• Fixed
  • Hardened Factories.FromNodePackageJson.PackageUrlFactory's default package repository detection (#1073 via #1074)

• Added
  • Explicitly export own first-level submodules via package manifest (#87 via #1066)
    When used with bundlers/packers downstream, this might enable better tree shaking due to scoped imports.
• Refactor
  • Ease internal tree shaking (via #1066)

• Changed
  • The provided XML validation capabilities were explicitly hardened (via #1064; concerns #1061)
    This is considered a security measure concerning XML external entity (XXE) injection.

Reverted v6.7.0, back to v6.6.1
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

!! THIS VERSION GOT YANKED !!
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

• Changed
  • The provided XML validation capabilities no longer supports external entities (via #1063; concerns #1061)
    This is considered a security measure to prevent XML external entity (XXE) injection.

• Fixed
  • JSON validator allow arbitrary $schema (#1059 via #1060)

• Changed
  • Serializers and License-Normalizers will take license acknowledgement into account (#1051 via #1052)
• Added
  • Namespace Enums
    • New enum LicenseAcknowledgement (#1051 via #1052)
  • Namespace Models
    • Class LicenseExpression got new property acknowledgement (#1051 via #1052)
    • Class NamedLicense got new property acknowledgement (#1051 via #1052)
    • Class SpdxLicense got new property acknowledgement (#1051 via #1052)

• Dependencies
  • Bumped the range of optional requirement ajv-formats to ^3.0.1, was ^2.1.1 (via #1037)
    This should fix JSON-validation for time/date.

Added support for CycloneDX Specification-1.6.

• Changed
  • Normalizers support CycloneDX Specification-1.6 (#1039 via #1041)
  • Validators support CycloneDX Specification-1.6 (#1039 via #1041)
• Added
  • Existing Enums got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)
    • Enums.ComponentType.CryptographicAsset
    • Enums.ExternalReferenceType.SourceDistribution
    • Enums.ExternalReferenceType.ElectronicSignature
    • Enums.ExternalReferenceType.DigitalSignature
    • Enums.ExternalReferenceType.RFC9116
  • Namespace Spec was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)
    • New const Spec.Spec1dot6
    • New enum member Spec.Version.v1dot6
• Build
  • Use TypeScript v5.4.5 now, was v5.4.3 (via #1040)

• Build
  • Use TypeScript v5.4.3 now, was v5.4.2 (via #1030)
  • Use webpack v5.91.0 now, was v5.90.3 (via #1031)

• Documentation
  • Rendered (API) docs are hosted on readthedocs (#1027 via #1028)
• Build
  • Use TypeScript v5.4.2 now, was v5.3.3 (via #1021)

• Added
  • Class Models.Metadata got a new property licenses (#1019 via #1020)
  • Class Models.Metadata got a new property properties (#1019 via #1020)

• Refactor
  • Removed dynamic imports in Node.js-specific XML serializer lookup (#1017 via #1018)
    This should improve compatibility with linkers and bundlers.
• Build
  • Use webpack v5.90.3 now, was v5.89.0 (via #1008, #1013, #1015)

Maintenance release

• Dependencies
  • Widened optional dependency libxmljs2@^0.31||^0.32||^0.33, was @^0.31||^0.32 (via #1001)

• Changed
  • Serialization/normalization guarantees valid URI values (#992 via #996)

• Fixed
  • Possible bug in XML serialization of undefined children (via #1000)
• Build
  • Use TypeScript v5.3.3 now, was v5.3.2 (via #999)

Maintenance release.

• Misc
  • Widened dependency spdx-expression-parse@^3.0.1||^4, was @^3.0.1 (via #993)
  • CI/CT: test also with Node.js v21 (via #995)

Maintenance release.

• Style
  • Apply latest code style guide (via #988, #990)
• Build
  • Use TypeScript v5.3.2 now, was v5.2.2 (via #990)
  • Use ts-loader v9.5.1 now, was v9.5.0 (via #990)

• Added
  • Class Models.ExternalReference got a new property hashes (#984 via #985)
  • Serializers and ExternalReference-Normalizers will take Models.ExternalReference.hashes into account (#984 via #985)
• Build
  • Use webpack v5.89.0 now, was v5.88.2 (via #979)
  • Use ts-loader v9.5.0 now, was v9.4.4 (via #977)

• BREAKING
  • Interface Spec.Protocol was removed from public API (#957 via #958)
    This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
    This change was necessary, so that implementing more spec-features cause no breaking changes.
• Build
  • Use TypeScript v5.2.2 now, was v5.1.6 (via #966)

• BREAKING
  • Interface Spec.Protocol now defines new mandatory methods (via #946)
    This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
• Added
  • New enum Enums.Lifecycle with corresponding values from CycloneDX Specification-1.5 (#937 via #946)
  • New class Models.NamedLifecycle (#937 via #946)
  • New class Models.LifecycleRepository (#937 via #946)
  • Class Models.Metadata got a new property lifecycles (#937 via #946)
  • Serializers and Metadata-Normalizers will take Models.Metadata.lifecycles into account (#937 via #946)
• Build
  • Use webpack v5.88.2 now, was v5.88.1 (via #933)

• BREAKING
  • Usage of this library in web browsers might no longer work out of the box (via #880)
    It might require a bundler/packer for web; see the examples/web/.
    This is only a breaking change if you used this library in a web browser.
• Fixed
  • Properly exclude external packages when preparing this library for web browsers (#883 via #880)
• Examples
  • Adjusted and extended examples for usage in web browsers (#883 via #880)
    Removed outdated examples/web/*, added examples/web/parcel & examples/web/webpack.
  • Added examples for usage of CDX.Factories.PackageUrlFactory (via #882, #886)
• Build
  • Use TypeScript v5.1.6 now, was v5.1.5 (via #866)
  • Use webpack v5.88.1 now, was v5.88.0 (via #870)
  • Apply wider rules for externals in webpack build (#883 via #880)

Added support for CycloneDX Specification-1.5.
Added functionality regarding CycloneDX BOM-Link.

• BREAKING
  • Interface Spec.Protocol now defines new mandatory methods (via #843)
    This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
• Changed
  • Normalizers support CycloneDX Specification-1.5 (#505 via #843)
  • Validators support CycloneDX Specification-1.5 (#505 via #843)
  • Some models' properties were widened to support CycloneDX BOM-Link (via #856)
• Added
  • Existing Enums got the new members and values for CycloneDX Specification-1.5 (#505 via #843)
  • Namespace Spec was enhanced for CycloneDX Specification-1.5 (#505 via #843)
  • Dedicated classes and types for CycloneDX BOM-Link (via #843, #856, #857)

• BREAKING
  • Interface Spec.Protocol now defines a new mandatory method supportsVulnerabilityRatingMethod() (via #843)
    This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
• Changed
  • Namespace Models
    • Method BomRef.compare() accepts every stringable now, was Models.BomRef only (via #856)
    • Class ExternalReference's property url also accepts BomLink now, was URL|string only (via #856)
    • Class Vulnerability.Affect's property ref also accepts BomLinkElement now, was BomRef only (via #856)
  • Namespace Serialize.{JSON,XML}.Normalize
    • All classes support CycloneDX Specification-1.5 now (#505 via #843)
    • Methods VulnerabilityRatingNormalizer.normalize() omit unsupported values for Models.Vulnerability.Rating.method (via #843)
      This utilizes the new method Spec.Protocol.supportsVulnerabilityRatingMethod().
  • Namespace Validation
    • Classes {Json,JsonStrict,Xml}Validator support CycloneDX Specification-1.5 now (#505 via #843)
• Added
  • Namespace Enums
    • Enum ComponentType got new members (#505 via #843)
      New: Data, DeviceDriver, MachineLearningModel, Platform
    • Enum ExternalReferenceType got new members (#505 via #843)
      New: AdversaryModel, Attestation, CertificationReport, CodifiedInfrastructure, ComponentAnalysisReport, Configuration, DistributionIntake, DynamicAnalysisReport, Evidence, ExploitabilityStatement, Formulation, Log, MaturityReport, ModelCard, POAM, PentestReport, QualityMetrics, RiskAssessment, RuntimeAnalysisReport, SecurityContact, StaticAnalysisReport, ThreatModel, VulnerabilityAssertion
    • Enum Vulnerability.RatingMethod got new members (#505 via #843)
      New: CVSSv4, SSVC
  • Namespace Models
    • New classes BomLinkDocument and BomLinkDocument to represent CycloneDX BOM-Link (via #843, #856, #857)
    • New type BomLink to represent CycloneDX BOM-Link (via #843, #856)
  • Namespace Spec
    • Enum Version got new member v1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
    • Constant SpecVersionDict got new entry to reflect CycloneDX Specification-1.5 (#505 via #843)
    • New constant Spec1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
    • Constants Spec1dot{2,3,4} got a new method supportsVulnerabilityRatingMethod() (via #843)
    • Interface Protocol has a new method supportsVulnerabilityRatingMethod() (via #843)
• Misc
  • Added functional and integration tests for CycloneDX Specification-1.5 (#505 via #843)
  • Added unit tests for CycloneDX BOM-Link (via #843, #856)
  • Fetched latest stable schema definition files for offline usage (via #843)
  • Improved internal documentation (via #856)
• Build
  • Use TypeScript v5.1.5 now, was v5.1.3 (via #860)
  • Use webpack v5.88.0 now, was v5.86.0 (via #841)

• Changed
  • Classes Serialize.Xml.Normalize.Vulnerability*Normalizer are now public available (via #816)
    Previously, only instances were available via Serialize.Xml.Normalize.Factory.makeForVulnerability*().
• Build
  • Use TypeScript v5.1.3 now, was v5.0.4 (via #790)
  • Use webpack v5.86.0 now, was v5.82.1 (via #802)

Improved license detection.
Finished Vulnerability capabilities.
Added ComponentEvidence capabilities.

• BREAKING
  • Method Factories.LicenseFactory.makeFromString() was changed in its behavior (#271, #530 via #547)
    It will try to create Models.SpdxLicense if value is eligible, else try to create Models.LicenseExpression if value is eligible, else fall back to Models.NamedLicense.
  • Revisited sort and compare:
    • Methods Models.*.compare() may return different numbers than before.
    • Methods Models.*.sorted() may return different orders than before.
  • Removed deprecated symbols (#747 via #752)
• Changed
  • Removed beta state from symbols {Enums,Models}.Vulnerability.* (#164 via #722)
    The structures are defined as stable now.
  • Some property/parameter types were widened, enabling the use of Buffer and other data-saving mechanisms (#406, #516 via #753)
• Added
  • New data models and serialization/normalization for Models.ComponentEvidence (#516 via #753)
  • Serializers and Component-Normalizers will take Models.Component.evidence into account (#516 via #753)
  • Serializers and Bom-Normalizers will take Models.Bom.vulnerabilities into account (#164 via #722)
• Misc
  • Internal rework, modernization, refactoring

• BREAKING
  • Class Factories.LicenseFactory was modified
    • Renamed method makeDisjunctiveWithId() -> makeSpdxLicense() (#530 via #547)
    • Renamed method makeDisjunctiveWithName() -> makeNamedLicense() (#530 via #547)
  • Class Models.LicenseExpression was modified
    • Removed static function isEligibleExpression() (via #547)
      Use Spdx.isValidSpdxLicenseExpression() instead.
    • Constructor no longer throws, when value is not eligible (#530 via #547)
      You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
    • Property expression setter no longer throws, when value is not eligible (#530 via #547)
      You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
  • Class Models.SpdxLicense was modified
    • Constructor no longer throws, when value is not eligible (#530 via #547)
      You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
    • Property id setter no longer throws, when value is not eligible (#530 via #547)
      You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
  • Interface Spec.Protocol now defines a new mandatory property supportsComponentEvidence:boolean (via #753)
  • Interface Spec.Protocol now defines a new mandatory property supportsVulnerabilities:boolean (via #722)
  • Removed deprecated symbols (#747 via #752)
    • Namespaces {Builders,Factories}.FromPackageJson were removed.
      You may use {Builders,Factories}.FromNodePackageJson instead.
    • Class Models.HashRepository was removed.
      You may use Models.HashDictionary instead.
    • Methods Serialize.{Json,Xml}.Normalize.*.normalizeRepository() were removed.
      You may use Serialize.{Json,Xml}.Normalize.*.normalizeIterable() instead
    • Type alias Types.UrnUuid was removed.
      You may use string instead.
    • Type predicate Types.isUrnUuid() was removed.
• Changed
  • Class Models.Attachment was modified
    • Property content was widened to be any stringable, was string (#406, #516 via #753)
      This enables the use of Buffer and other data-saving mechanisms.
  • Class Models.Component was modified
    • Property copyright was widened to be any stringable, was string (#406, #516 via #753)
      This enables the use of Buffer and other data-saving mechanisms.
  • Class Models.Vulnerability.Credits was modified
    • Property organizations is no longer optional (via #722)
      This collection(Set) will always exist, but might be empty.
      This is considered a non-breaking change, as the class was in beta state.
    • Property individuals is no longer optional (via #722)
      This collection(Set) will always exist, but might be empty.
      This is considered a non-breaking change, as the class was in beta state.
• Added
  • Namespace Models was enhanced
    • Class Component was enhanced
      • New optional property evidence of type Models.ComponentEvidence (#516 via #753)
    • New Class ComponentEvidence (#516 via #753)
    • Namespace Vulnerability was enhanced
      • Class Advisory was enhanced
        • New method compare() (via #722)
      • Class AdvisoryRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
      • Class Affect was enhanced
        • New method compare() (via #722)
      • Class AffectRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
      • Class AffectedSingleVersion was enhanced
        • New method compare() (via #722)
      • Class AffectedVersionRange was enhanced
        • New method compare() (via #722)
      • Class AffectedVersionRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
      • Class Rating was enhanced
        • New method compare() (via #722)
      • Class RatingRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
      • class Reference was enhanced
        • New method compare() (via #722)
      • Class ReferenceRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
      • class Source was enhanced
        • New method compare() (via #722)
      • class Vulnerability was enhanced
        • New method compare() (via #722)
      • Class VulnerabilityRepository was enhanced
        • New method sorted() (via #722)
        • New method compare() (via #722)
  • Namespaces Serialize.{Json,Xml}.Normalize were enhanced
    • Class Factory was enhanced
      • New Method makeForComponentEvidence() (#516 via #753)
      • New method makeForVulnerability() (#164 via #722)
      • New method makeForVulnerabilitySource() (#164 via #722)
      • New method makeForVulnerabilityReference() (#164 via #722)
      • New method makeForVulnerabilityRating (#164 via #722)
      • New method makeForVulnerabilityAdvisory (#164 via #722)
      • New method makeForVulnerabilityCredits (#164 via #722)
      • New method makeForVulnerabilityAffect (#164 via #722)
      • New method makeForVulnerabilityAffectedVersion (#164 via #722)
      • New method makeForVulnerabilityAnalysis (#164 via #722)
    • New class ComponentEvidenceNormalizer (#516 via #753)
    • Class OrganizationalEntityNormalizer was enhanced
      • New method normalizeIterable() (via #722)
    • New class VulnerabilityNormalizer (#164 via #722)
    • New class VulnerabilityAdvisoryNormalizer (#164 via #722)
    • New class VulnerabilityAffectNormalizer (#164 via #722)
    • New class VulnerabilityAffectedVersionNormalizer (#164 via #722)
    • New class VulnerabilityAnalysisNormalizer (#164 via #722)
    • New class VulnerabilityCreditsNormalizer (#164 via #722)
    • New class VulnerabilityRatingNormalizer (#164 via #722)
    • New class VulnerabilityReferenceNormalizer (#164 via #722)
    • New class VulnerabilitySourceNormalizer (#164 via #722)
  • Namespace Spec
    • Constants Spec1dot{2,3,4} were enhanced
      • New property supportsComponentEvidence:boolean (via #753)
      • New property supportsVulnerabilities:boolean (via #722)
  • Namespace Spdx was enhanced
    • New function isValidSpdxLicenseExpression() (#271 via #547)
• Misc
  • Added dependency spdx-expression-parse@^3.0.1 (via #547)

• Added
  • Formal validators for JSON string and XML string (#620 via #652, #691)
    Currently available only for Node.js. Requires optional dependencies.
    • Related new validator classes:
      • Validation.JsonValidator
      • Validation.JsonStrictValidator
      • Validation.XmlValidator
    • Related new error classes:
      • Validation.NotImplementedError
      • Validation.MissingOptionalDependencyError
• Build
  • Use TypeScript v5.0.4 now, was v4.9.5 (#549 via #644)
  • Use webpack v5.80.0 now, was v5.79.0 (via #686)

• Fixed
  • Serialize.{JSON,XML}.Normalize.LicenseNormalizer.normalizeIterable() now omits invalid license combinations (#602 via #623)
    If there is any Models.LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.
• Docs
  • Fixed link to CycloneDX-specification in README (via #617)

• Fixed
  • Builders.FromNodePackageJson.ComponentBuilder no longer cuts component's name after a slash(/) (#599 via #600)

• Docs
  • Announce and annotate the generator for BOM's SerialNumber (#588 via #598)

• Fixed
  • "Bom.serialNumber" data model can have values following the alternative format allowed in CycloneDX XML specification (#588 via #597)
  • Serialize.{JSON,XML}.Normalize.BomNormalizer.normalize now omits invalid/unsupported values for serialNumber (#588 via #597)
• Changed
  • Property Models.Bom.serialNumber is of type string, was type-aliased Types.UrnUuid = string (#588 via #597)
    Also, the setter no longer throws exceptions, since no string format is illegal.
    This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
• Added
  • Published generator for BOM's SerialNumber: Utils.BomUtility.randomSerialNumber() (#588 via #597)
    The code was donated from cyclonedx-node-npm.
• Deprecation
  • Type alias Types.UrnUuid = string became deprecated (via #597)
    Use type string instead.
  • Function Types.isUrnUuid became deprecated (via #597)

• Fixed
  • Digesting this library in TypeScript build with ECMA Script module results works as expected, now (via #596)
• Docs
  • Development-docs are no longer packed with releases (via #572)
• Misc
  • Added more integration tests in CI (via #596)

Maintenance release.

• Docs
  • Made it clear, that {Builders,Factories}.{FromNodePackageJson,FromPackageJson}.* functionality is to be run on already normalized structures (#517 via #518)
    Normalization should be done downstream, for example via normalize-package-data.

• Added
  • New vulnerability-related enums were added in a new namespace Enums.Vulnerability (#164 via #419)
    Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.
    • AffectStatus
    • AnalysisJustification
    • AnalysisResponse
    • AnalysisState
    • RatingMethod
    • Severity
  • New vulnerability-related models were added in a new namespace Models.Vulnerability (#164 via #419)
    Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
    Attention: The models are not yet supported by shipped serializers nor shipped normalizers.
    • Advisory, AdvisoryRepository
    • Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
    • Analysis
    • Credits
    • Rating, RatingRepository
    • Reference, ReferenceRepository
    • Source
    • Vulnerability, VulnerabilityRepository
  • New class Models.OrganizationalEntityRepository to represent a collection of Models.OrganizationalEntity (via #419)
    Additionally, Models.OrganizationalEntity.compare() was implemented.
  • New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
    Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.
    • type Types.CWE
    • runtime validation Types.isCWE()
    • class Types.CweRepository
• Docs
  • Use TSDoc syntax in TypeScript files, instead of JSDoc (via #318, #453)
• Build
  • Use TypeScript v4.9.5 now, was v4.9.4 (via #463)
• Misc
  • Added tests for internal helpers (via #454)
  • Use eslint-config-standard-with-typescript@34.0.0 now, was 33.0.0 (via #460)

• Added
  • Typing: Interfaces of models' optional properties are now public API (#439 via #440)
  • Ship TypeDoc configuration, so that users can build the documentation on demand (#57 via #436)
• Fixed
  • XML serializer now properly throws UnsupportedFormatError if it is unsupported by the supplied Spec (via #438)
• Misc
  • Added tests for internal helpers (via #431)
  • Added more internal sortable data types (via #165)
  • Fixed type hints in internals (via #432)
  • Fixed type refs and links in doc-strings (via #437)
  • Slightly improved performance of compare methods when reproducible results were needed (via #433)
  • Use eslint-config-standard-with-typescript@33.0.0 now, was 23.0.0 (via #382, #423, #445)

Maintenance release.

• Docs
  • Fix CI/CT shield (badges/shields#8671 via #371)

Maintenance release.

• Build
  • Use TypeScript v4.9.4 now, was v4.9.3 (via #360)

• Changed
  • Widened the accepted types for first parameter of all normalizeIterable methods (via #317)
• Build
  • Use TypeScript v4.9.3 now, was v4.8.4 (via #335)

• Added
  • Enabled detection for node-package manifest's deprecated licenses format in the node-specific builders (#308 via #309)

• Changed
  • Shipped TypeScript declarations are usable by TypeScript v3.8 and above now (#291 via #292) Previously the source code was abused as type declarations, so they required a certain version of TypeScript 4.

• Changed
  • Removed synthetic default imports im TypeScript sources (via #243)
    The resulting JavaScript did not change in functionality.
    Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile with allowSyntheticDefaultImports enabled.
• Added
  • Documentation and example regarding dependency tree modelling were added in multiple places (via #250)
• Build
  • No longer enable TypeScript config esModuleInterop & allowSyntheticDefaultImports (via #243)
  • Use TypeScript v4.8.4 now, was v4.8.3 (via #246)

• Deprecated
  • The normalizer methods normalizeRepository will be known as normalizeIterable (via #230)

• Deprecated
  • The class HashRepository will be known as HashDictionary (via #229)

Maintenance release.

• Build
  • Use TypeScript v4.8.3 now, was v4.8.2 (via #212)

Maintenance release.

• Misc
  • Style: imports are sorted, now (via #208)
• Dependencies
  • Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8 || ^1, was >=0.0.6 <0.0.8 (via #210)

• Added
  • New class Factories.FromNodePackageJson.PackageUrlFactory that acts like Factories.PackageUrlFactory, but omits PackageUrl's npm-specific "default derived" qualifier values for download_url & vcs_url (#204 via #207)
• Build
  • Use TypeScript v4.8.2 now, was v4.7.4 (via #190)

• Fixed
  • Factories.PackageUrlFactory omits empty-string URLs for PackageUrl's qualifiers download_url & vcs_url (via #180)

• Fixed
  • Improved omission of invalid anyURI when it comes to XML-normalization (#178 via #179)

• Fixed
  • Serializers render bom-ref values of nested components as unique values, as expected (#175 via #176)
• Misc
  • Style: improved readability of constructor parameter types (via #166)

• Fixed
  • JSON- and XML-Normalizer no longer render Models.Component.properties with CycloneDX Specification-1.2 (#152 via #153)
  • XML-Normalizer now has the correct order/position of rendered Models.Component.properties (via #153)

• Changed
  • Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation (via #150)
  • Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
• Added
  • Models for Property and PropertyRepository (via #151)
  • JSON- and XML-Normalizer for Models.Property, Models.PropertyRepository (via #151)
  • New property Models.Component.properties (via #151)
• Build
  • Use webpack v5.74.0. now, was v5.73.0 (via #141)

• Added
  • New getters/properties that represent the corresponding parameters of class constructor (via #145)
    • Builders.FromPackageJson.ComponentBuilder.extRefFactory,
      Builders.FromPackageJson.ComponentBuilder.licenseFactory
    • Builders.FromPackageJson.ToolBuilder.extRefFactory
    • Factories.PackageUrlFactory.type
    • Serialize.BomRefDiscriminator.prefix
    • Serialize.JsonSerializer.normalizerFactory
    • Serialize.XmlBaseSerializer.normalizerFactory,
      Serialize.XmlSerializer.normalizerFactory
  • Factory for PackageURL from Models.Component can handle additional data sources, now (via #146)
    • Models.Component.hashes map -> PackageURL.qualifiers.checksum list
    • Models.Component.externalReferences[distribution].url -> PackageURL.qualifiers.download_url
    • Method Factories.PackageUrlFactory.makeFromComponent() got a new optional parameter sort, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
      This feature switch is related to reproducible builds.
• Deprecated
  • The sub-namespace FromPackageJson will be known as FromNodePackageJson (via #148)
    • Factories.FromPackageJson -> Factories.FromNodePackageJson
    • Builders.FromPackageJson -> Builders.FromNodePackageJson

• Added
  • Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering (#132 via #136)
  • CycloneDX Specification-1.4 made element Models.Component.version optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty (via #137, #138)

• Fixed
  • Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected (via #134)

Maintenance release.

• Dependencies
  • Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7 (#130 via #131)

Maintenance release.

• Build
  • Use TypeScript v4.7.4 now, was v4.6.4 (via #55)
• Dependencies
  • Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6 (via #123)

Initial release.

• Responsibilities
  • Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
  • Provide typing for said implementation, so developers and dev-tools can rely on it.
  • Provide data models to work with CycloneDX.
  • Provide a JSON- and an XML-normalizer, that...
    • supports all shipped data models.
    • respects any injected CycloneDX Specification and generates valid output according to it.
    • can be configured to generate reproducible/deterministic output.
    • can prepare data structures for JSON- and XML-serialization.
  • Serialization:
    • Provide a universal JSON-serializer for all target environments.
    • Provide an XML-serializer for all target environments.
    • Support the downstream implementation of custom XML-serializers tailored to specific environments
      by providing an abstract base class that takes care of normalization and BomRef-discrimination.
      This is done, because there is no universal XML support in JavaScript.
• Capabilities & Features
  • Enums for the following use cases:
    • AttachmentEncoding
    • ComponentScope
    • ComponentType
    • ExternalReferenceType
    • HashAlgorithm
  • Data models for the following use cases:
    • Attachment
    • Bom
    • BomRef, BomRefRepository
    • Component, ComponentRepository
    • ExternalReference, ExternalReferenceRepository
    • HashContent, Hash, HashRepository
    • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
    • Metadata
    • OrganizationalContact, OrganizationalContactRepository
    • OrganizationalEntity
    • SWID
    • Tool, ToolRepository
  • Factories for the following use cases:
    • Create data models from any license descriptor string
    • Specific to Node.js: create data models from PackageJson-like data structures
  • Builders for the following use cases:
    • Specific to Node.js: create deep data models from PackageJson-like data structures
  • Implementation of the CycloneDX Specification for the following versions:
    • 1.4
    • 1.3
    • 1.2
  • Normalizers that convert data models to JSON structures
  • Normalizers that convert data models to XML structures
  • Universal serializer that converts Bom data models to JSON string
  • Serializer that converts Bom data models to XML string:
    • Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
    • Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
      • xmlbuilder2