BREAKING changes

• Removed deprecated symbols
• Removed PackageUrl factories
• No longer use external standards' implementations directly

Removed

• Entrypoint Builders (via #1377)
• Entrypoint Factories (via #1377)
• Entrypoint Utils (via #1377)
• Entrypoint Contrib/PackageUrl (via #1378)
• Deprecated symbol Builders (#1346 via #1377)
• Deprecated symbol Builders.FromNodePackageJson (#1346 via #1377)
• Deprecated symbol Builders.FromNodePackageJson.ToolBuilder (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Builders.ToolBuilder instead.
• Deprecated symbol Builders.FromNodePackageJson.ComponentBuilder (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Builders.ComponentBuilder instead.
• Deprecated symbol Factories (#1346 via #1377)
• Deprecated symbol Factories.FromNodePackageJson (#1346 via #1377)
• Deprecated symbol Factories.FromNodePackageJson.ExternalReferenceFactory (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Factories.ExternalReferenceFactory instead.
• Deprecated symbol Factories.FromNodePackageJson.PackageUrlFactory (#1346 via #1377)
  Use packageurl-js downstream.
• Deprecated symbol Factories.LicenseFactory (#1346, #1348 via #1377, #1378)
  Use Contrib.License.Factories.LicenseFactory instead.
• Deprecated symbol Factories.PackageUrlFactory (#1346 via #1377)
  Use packageurl-js downstream.
• Deprecated symbol Types.NodePackageJson (#1346, #1348 via #1377, #1378)
  Use Contrib.FromNodePackageJson.Types.NodePackageJson instead.
• Deprecated symbol Types.assertNodePackageJson (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Types.assertNodePackageJson instead.
• Deprecated symbol Types.isNodePackageJson (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Types.isNodePackageJson instead.
• Deprecated symbol Utils (#1346 via #1377)
• Deprecated symbol Utils.BomUtility (#1346 via #1377)
• Deprecated symbol Utils.BomUtility.randomSerialNumber (#1346 via #1377)
  Use Contrib.Bom.Utils.randomSerialNumber instead.
• Deprecated symbol Utils.LicenseUtility (#1346 via #1377)
• Deprecated symbol Utils.LicenseUtility.FsUtils (#1346 via #1377)
  Use Contrib.License.Utils.FsUtils instead.
• Deprecated symbol Utils.LicenseUtility.PathUtils (#1346 via #1377)
• Use Contrib.License.Utils.PathUtils instead.
• Deprecated symbol Utils.LicenseUtility.FileAttachment (#1346 via #1377)
  Use Contrib.License.Utils.FileAttachment instead.
• Deprecated symbol Utils.LicenseUtility.ErrorReporter (#1346 via #1377)
  Use Contrib.License.Utils.ErrorReporter instead.
• Deprecated symbol Utils.LicenseUtility.LicenseEvidenceGatherer (#1346 via #1377)
  Use Contrib.License.Utils.LicenseEvidenceGatherer instead.
• Deprecated symbol Utils.NpmjsUtility (#1346 via #1377)
• Deprecated symbol Utils.NpmjsUtility.parsePackageIntegrity (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Utils.parsePackageIntegrity instead.
• Deprecated symbol Utils.NpmjsUtility.defaultRegistryMatcher (#1346 via #1377)
  Use Contrib.FromNodePackageJson.Utils.defaultRegistryMatcher instead.
• Symbol Contrib.PackageUrl.Factories.PackageUrlFactory (#1348 via #1378)
  Use packageurl-js downstream. You can use these example as inspiration:
  • https://github.com/CycloneDX/cyclonedx-node-yarn/blob/c35d9b7c2b5a50aae46d435cda8e095ca415c622/src/factories.ts
  • https://github.com/CycloneDX/cyclonedx-node-npm/blob/002211b6f860222fd4cba0e13af6c131b157c27c/src/factories.ts
• Symbol Contrib.FromNodePackageJson.Factories.PackageUrlFactory (#1348 via #1378)
  Use packageurl-js downstream.
• Symbol SPDX.isValidSpdxLicenseExpression (#1348 via #1382)
  Use package spdx-expression-parse instead.

Changed

• Component.purl is a string now, was PackaheUrl (#1348 via #1379)
• Constructor of Contrib.License.Factories.LicenseFactory got an injectable argument spdxExpressionValidate for validating SPDX License Expressions (#1348 via #1382)
  Suggested implementation is spdx-expression-parse.
• Pulled SPDX license IDs v1.0-3.28.0 (#1386 via #1395)
• Hardened schema validators (via #1396)

Dependencies

• Dependency packageurl-js became a suggested (optional peer-dependency) library (#1348 via #1378)
  You may use it to craft and parse PackageURLs downstream.
• Dependency spdx-expression-parse became a suggested (optional peer-dependency) library (#1348 via #1382)
  Used as an injectable in Contrib.License.Factories.LicenseFactory.constructor.

Chore

• Set dev-engines in package.json (#1301 via #1380)

What's Changed

• feat!: remove deprecated reexports by @jkowalleck in #1377
• feat!: Component.purl as string by @jkowalleck in #1379
• feat!: remove package url factory by @jkowalleck in #1378
• chore: dev engines by @jkowalleck in #1380
• tests: fix browser tests by @jkowalleck in #1381
• feat!: remove spdx expression validation by @jkowalleck in #1382
• v10.0.0 by @jkowalleck in #1376
• chore(deps): bump knip from 5.83.1 to 5.85.0 in /tools/test-dependencies by @dependabot[bot] in #1392
• feat: pulled SPDX license IDs v1.0-3.28.0 by @jkowalleck in #1395
• feat: harden schema validators by @jkowalleck in #1396

Full Changelog: v9.5.0...v10.0.0

Added

• Classes Models.NamedLicense and Models.SpdxLicense support properties as per CycloneDX 1.5 (via #1383)

Build

• Use webpack 5.105.3 now, was v5.103.0 (via #1360, #1374, #1390)

What's Changed

• ci: test with node 25 by @jkowalleck in #1353
• docs: modernize docs gen by @jkowalleck in #1355
• chore(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #1357
• chore(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #1356
• chore(deps): bump knip from 5.71.0 to 5.81.0 in /tools/test-dependencies by @dependabot[bot] in #1366
• chore(deps): bump knip from 5.81.0 to 5.82.1 in /tools/test-dependencies by @dependabot[bot] in #1368
• chore(deps): bump knip from 5.82.1 to 5.83.1 in /tools/test-dependencies by @dependabot[bot] in #1370
• docs: explain scoped imports from entry points by @jkowalleck in #1373
• chore(deps-dev): bump webpack from 5.103.0 to 5.104.1 in the webpack group across 1 directory by @dependabot[bot] in #1360
• chore(deps-dev): bump webpack from 5.104.1 to 5.105.2 in the webpack group across 1 directory by @dependabot[bot] in #1374
• feat: Support properties on license by @peschuster in #1383
• chore: node25 is experimental by @jkowalleck in #1393
• chore(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @dependabot[bot] in #1391
• chore(deps-dev): bump webpack from 5.105.2 to 5.105.3 in the webpack group across 1 directory by @dependabot[bot] in #1390

New Contributors

• @peschuster made their first contribution in #1383

Full Changelog: v9.4.1...v9.5.0

see the detailed change log here: #1376

What's Changed

• ci: test with node 25 by @jkowalleck in #1353
• docs: modernize docs gen by @jkowalleck in #1355
• chore(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #1357
• chore(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #1356
• chore(deps): bump knip from 5.71.0 to 5.81.0 in /tools/test-dependencies by @dependabot[bot] in #1366
• chore(deps): bump knip from 5.81.0 to 5.82.1 in /tools/test-dependencies by @dependabot[bot] in #1368
• chore(deps): bump knip from 5.82.1 to 5.83.1 in /tools/test-dependencies by @dependabot[bot] in #1370
• docs: explain scoped imports from entry points by @jkowalleck in #1373
• chore(deps-dev): bump webpack from 5.103.0 to 5.104.1 in the webpack group across 1 directory by @dependabot[bot] in #1360
• chore(deps-dev): bump webpack from 5.104.1 to 5.105.2 in the webpack group across 1 directory by @dependabot[bot] in #1374
• feat!: remove deprecated reexports by @jkowalleck in #1377
• feat!: Component.purl as string by @jkowalleck in #1379
• feat!: remove package url factory by @jkowalleck in #1378
• chore: dev engines by @jkowalleck in #1380
• tests: fix browser tests by @jkowalleck in #1381
• feat!: remove spdx expression validation by @jkowalleck in #1382

Full Changelog: v9.4.1...v10.0.0-rc.2

Fixed

• Type declarations for deprecated symbols support usage as types (#1350 via #1351)

Refactor

• Deprecated symbols turned from re-exports into re-declares (via #1351)
  Note: this change adds runtime overhead for the sake of documentation.

What's Changed

• fix: 6.4.0 deprecated types by @jkowalleck in #1351

Full Changelog: v9.4.0...v9.4.1

Added

• New entry points for /Contrib and known submodules (via #1343)
  See package.json::exports for details.

Changes

• Moved non‑standard implementations to Contrib area (#1344 via #1343)

Deprecated

• Certain exports have been deprecated; downstream imports should be updated to the new locations (#1344 via #1343)
  Note: the symbols themselves remain supported. See documentation and the "Refactored" section below for details.

Refactor

• The following symbols were moved. (#1344 via #1343)
  The symbols are still import-able through their old location.
  • OLD -> NEW
  • Builders.FromNodePackageJson -> Contrib.FromNodePackageJson.Builders
  • Factories.FromNodePackageJson -> Contrib.FromNodePackageJson.Factories
  • Factories.LicenseFactory -> Contrib.License.Factories.LicenseFactory
  • Factories.PackageUrlFactory -> Contrib.PackageUrl.Factories.PackageUrlFactory
  • Types.assertNodePackageJson -> Contrib.FromNodePackageJson.Types.assertNodePackageJson
  • Types.isNodePackageJson -> Contrib.FromNodePackageJson.Types.isNodePackageJson
  • Types.NodePackageJson -> Contrib.FromNodePackageJson.Types.NodePackageJson
  • Utils.BomUtility -> Contrib.Bom.Utils
  • Utils.LicenseUtility -> Contrib.License.Utils
  • Utils.NpmjsUtility -> Contrib.FromNodePackageJson.Utils

Style

• Applied latest code style (via #1341)

Build

• Use webpack v5.103.0 now, was v5.102.1 (via #1340)

What's Changed

• docs: examplesfor CDX17 by @jkowalleck in #1326
• chore(deps): bump actions/download-artifact from 5 to 6 by @dependabot[bot] in #1327
• chore(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #1328
• chore(deps): bump the eslint group across 1 directory with 2 updates by @dependabot[bot] in #1329
• chore(deps): bump knip from 5.66.1 to 5.66.3 in /tools/test-dependencies by @dependabot[bot] in #1330
• chore(deps): bump the eslint group across 1 directory with 2 updates by @dependabot[bot] in #1331
• chore(deps): bump knip from 5.66.3 to 5.66.4 in /tools/test-dependencies by @dependabot[bot] in #1332
• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1333
• chore(deps-dev): bump mocha from 11.7.4 to 11.7.5 in the mocha group across 1 directory by @dependabot[bot] in #1334
• chore(deps): bump knip from 5.66.4 to 5.68.0 in /tools/test-dependencies by @dependabot[bot] in #1335
• chore(deps): bump knip from 5.68.0 to 5.69.1 in /tools/test-dependencies by @dependabot[bot] in #1337
• chore: eslint config fix by @jkowalleck in #1338
• chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #1339
• chore(deps): bump knip from 5.69.1 to 5.70.2 in /tools/test-dependencies by @dependabot[bot] in #1347
• chore(deps-dev): bump webpack from 5.102.1 to 5.103.0 in the webpack group across 1 directory by @dependabot[bot] in #1340
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1341
• chore(deps): bump knip from 5.70.2 to 5.71.0 in /tools/test-dependencies by @dependabot[bot] in #1349
• feat: Moved non‑standard implementations to Contrib area by @jkowalleck in #1343

Full Changelog: v9.2.0...v9.4.0

Added

• Support CycloneDX 1.7 (#1325 via #1324)

What's Changed

• feat: basic support for CycloneDX 1.7 by @jkowalleck in #1324

Full Changelog: v9.1.0...v9.2.0

• Dependencies
  • Support optional peer dependency xmlbuilder2@^3.0.2||^4.0.0, was xmlbuilder2@^3.0.2 (via #1321)
• Build
  • Use TypeScript v5.9.3 now, was v5.9.2 (via #1308)
  • Use webpack v5.102.0 now, was v5.101.3 (via #1309)

What's Changed

• chore(deps-dev): bump memfs from 4.39.0 to 4.42.0 by @dependabot[bot] in #1303
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1302
• chore(deps): bump knip from 5.63.1 to 5.64.1 in /tools/test-dependencies by @dependabot[bot] in #1306
• chore(deps-dev): bump memfs from 4.42.0 to 4.46.1 by @dependabot[bot] in #1305
• chore(deps): bump the eslint group across 1 directory with 3 updates by @dependabot[bot] in #1304
• chore: package-manager-cache: false by @jkowalleck in #1315
• ci: fix install of deps by @jkowalleck in #1316
• chore(deps): bump knip from 5.64.1 to 5.65.0 in /tools/test-dependencies by @dependabot[bot] in #1317
• chore(deps-dev): bump mocha from 11.7.2 to 11.7.4 in the mocha group across 1 directory by @dependabot[bot] in #1310
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1314
• chore(deps-dev): bump typescript from 5.9.2 to 5.9.3 in the typescript group across 1 directory by @dependabot[bot] in #1308
• chore(deps-dev): bump webpack from 5.101.3 to 5.102.0 in the webpack group across 1 directory by @dependabot[bot] in #1309
• chore(deps): bump @eslint/js from 9.37.0 to 9.38.0 in /tools/code-style in the eslint group across 1 directory by @dependabot[bot] in #1318
• chore(deps): bump knip from 5.65.0 to 5.66.0 in /tools/test-dependencies by @dependabot[bot] in #1320
• feat: support xmlbuilder2 v4 by @jkowalleck in #1321
• chore(deps): bump knip from 5.66.0 to 5.66.1 in /tools/test-dependencies by @dependabot[bot] in #1323
• chore(deps): bump eslint-plugin-jsdoc from 61.1.4 to 61.1.5 in /tools/code-style in the eslint group across 1 directory by @dependabot[bot] in #1322

Full Changelog: v9.0.0...v9.1.0

BREAKING Changes

• Optional dependencies became optional peer dependencies (via #1295)

Added

• Give downstream users control over optional dependencies (#1294 via #1295)

What's Changed

• docs: how we manage shipped files by @jkowalleck in #1296
• feat!: give downstream users control over optional dependencies by @GauBen in #1295
• chore(deps-dev): bump memfs from 4.38.2 to 4.39.0 by @dependabot[bot] in #1298
• chore(deps): bump the eslint group across 1 directory with 4 updates by @dependabot[bot] in #1299
• tests: examplesare not part of projects eslint checks by @jkowalleck in #1300

New Contributors

• @GauBen made their first contribution in #1295

Full Changelog: v8.6.0...v9.0.0