[BUG] sbom cyclonedx files contain invalid serialNumber

[megatuXXer]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

BOM files in cyclonedx format created by npm-sbom contain an invalid statically UUID value in the serialNumber field:

"serialNumber": "urn:uuid:***",

The problem is, that some tools checking the serialNumber with regular expressions (^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$)

With this tools a box file create by npm-sbom can't be used.

Expected Behavior

serialNumber field should contain a valid UUID value

Steps To Reproduce

1. Create any BOM file with npm-sbom
2. Look up serialNumber field value

Environment

• npm: 11.6.4
• Node.js: 24.11.0
• OS Name: Windows

[wraithgar]

npm stdout egress needs to bypass redaction.

[wraithgar]

The redaction bypass should be moved to the specific output.buffer call. See lib/commands/token.js for an example of where we do this when outputting the actual login token (a case where we very much want redaction bypassed).

[saksham-malhotra-27]

Oh alright ! I just missed your message earlier. working on it.

[saksham-malhotra-27]

Thank you, @wraithgar.
I have implemented the solution, using the same logic you suggested above. I've updated the implementation to use output.standard() with { [META]: true, redact: false } as demonstrated in token.js

 output.standard(JSON.stringify(this.#response, null, 2),
        { 
         [META]: true, 
         redact: false 
        })

Results:

All existing tests are passing. Should I add a specific test to explicitly verify the serialNumber is not redacted, or is the current test coverage sufficient?
Pls let me know. I will open a PR in a few minutes.