1.18.0

Added

• Licenses acknowledgement might be populated (#1171 via #1183)

Misc

• Raised dependency @cyclonedx/cyclonedx-library@^6.6.0, was @^6.5.0 (via #1183)

---

What's Changed

• chore(ci): fix macos runners by @jkowalleck in #1176
• ci: modernize artifact action by @jkowalleck in #1178
• ci: use node22 by @jkowalleck in #1179
• chore: reduce duplicate test beds by @jkowalleck in #1181
• feat: license acknowledgement by @jkowalleck in #1183

Full Changelog: v1.17.0...v1.18.0

1.17.0

Added support for CycloneDX Specification-1.6.

Changed

• This tool explicitly supports CycloneDX Specification-1.6 now (via #1175)

Added

• CLI switch --spec-version now supports value 1.6 to reflect CycloneDX Specification-1.6 (via #1175)
  Default value for that option is unchanged - still 1.4.

Build

• Use TypeScript v5.4.5 now, was v5.4.2 (via #1167)

---

What's Changed

• docs: add CycloneDX 1.6 to README by @XSpielinbox in #1174
• feat: explicitely support CycloneDX 1.6 by @jkowalleck in #1175
• chore(deps-dev): bump typescript from 5.4.2 to 5.4.5 in the typescript group by @dependabot in #1167

New Contributors

• @XSpielinbox made their first contribution in #1174

Full Changelog: v1.16.2...v1.17.0

1.16.2

Style

• Applied latest code standards (via #1149)

Build

• Use TypeScript v5.4.2 now, was v5.3.3 (via #1160)

---

What's Changed

• refactor: fix typescript-eslint annotations by @jkowalleck in #1146
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1149
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1152
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1157
• tests: run with latest CDX spec-version by @jkowalleck in #1158
• chore(deps): bump softprops/action-gh-release from 1 to 2 by @dependabot in #1159
• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1160

Full Changelog: v1.16.1...v1.16.2

1.16.1

• Fixed
  • Writing large results to buffered streams no longer drops data, but retries until success (via #1145)
• Docs
  • Showcase programmatic CLI usage (#1142 via #1145)

---

What's Changed

• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1139
• fix: large results on small streams by @jkowalleck in #1145

Full Changelog: v1.16.0...v1.16.1

1.16.0

Change

• If BOM result validation was explicitly requested and skipped, then a warning is shown (#1137 via #1138)
• Log messages that explain program failures were set to "error" level (via #1138)

---

What's Changed

• Escalate various log messages by @jkowalleck in #1138

Full Changelog: v1.15.0...v1.16.0

1.15.0

Changed

• Log output is less verbose, can be re-enabled via CLI switch --verbose (#158 via #1131)
  Warnings and errors are still displayed as before!
  This is considered a non-breaking change, since only informational logs and debug information is affected.
• Hardened JSON imports (via #1132, #1135)

Added

• CLI switch -v, --verbose to increase output verbosity (#158 via #1131)
  May be used multiple times, like -vvv.
• More logs on info-level (via #1131)
• More logs on debug-level (via #1131)

Build

• Use TypeScript v5.3.3 now, was v5.3.2 (via #1133)

---

What's Changed

• chore(deps-dev): bump the eslint group with 1 update by @dependabot in #1128
• ci: test more node versions by @jkowalleck in #1130
• feat: hardened JSON imports by @jkowalleck in #1132
• feat: more logs & configurable log level by @jkowalleck in #1131
• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1133
• hardened JSON imports by @jkowalleck in #1135
• refactor & bump eslint-config-standard-with-typescript@41.0.0 by @jkowalleck in #1136

Full Changelog: v1.14.3...v1.15.0

1.14.3

Fixed

• Added direct dependency packageurl-js as such (via #1122)

Docs

• Fixed typos (via #1123)

Style

• Applied latest code standards (via #1124)

Build

• Use TypeScript v5.3.2 now, was v5.2.2 (via #1125)

---

What's Changed

• fix: excplicitely require direct dependency packageurl-js by @jkowalleck in #1122
• docs: fix typos by @jkowalleck in #1123
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1124
• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1125

Full Changelog: v1.14.2...v1.14.3

1.14.2

Fixed

• SBOM results might have the externalReferences[].hashes populated (#1118 via #1120)
  The hashes might have wrongly appeared as components[].hashes before.
• Components' distribution integrity hash of "sha256" is properly detected and populated in the SBOM result ([#699] via #1121)
• Components' distribution integrity hash of "sha384" is properly detected and populated in the SBOM result ([#699] via #1121)

Misc

• Raised dependency @cyclonedx/cyclonedx-library@^6.1.0, was @^3||^4||^5||^6 (via #1120)

---

What's Changed

• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1110
• chore(deps-dev): bump the eslint group with 2 updates by @dependabot in #1112
• docs: publish test coverage by @jkowalleck in #1113
• chore(deps-dev): bump the eslint group with 1 update by @dependabot in #1114
• chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #1115
• chore(deps-dev): bump the eslint group with 1 update by @dependabot in #1119
• fix: move distribution hashes where they belong by @jkowalleck in #1120
• fix: detect integrity hashes sha256 sha384 by @jkowalleck in #1121

Full Changelog: v1.14.1...v1.14.2

1.14.1

Fixed

• explicit allow engine npm@10 (via #1107)
  This is a bugfix for an existing feature (see #973).

Tests

• added regression test for all supported NPM versions (via #1108)

---

New Contributors

• @joonamo made their first contribution in #1107

Full Changelog: v1.14.0...v1.14.1

1.14.0

Added

• SBOM result might have additional items in metadata.tools populated (#1100 via #1101)

---

Full Changelog: v1.13.3...v1.14.0