.release-please-manifest.json

@@ -1,5 +1,5 @@
 {
-  ".": "9.9.1",
+  ".": "9.9.2",
   "workspaces/arborist": "6.5.0",
   "workspaces/libnpmaccess": "7.0.2",
   "workspaces/libnpmdiff": "5.0.20",
@@ -8,7 +8,7 @@
   "workspaces/libnpmhook": "9.0.3",
   "workspaces/libnpmorg": "5.0.4",
   "workspaces/libnpmpack": "5.0.20",
-  "workspaces/libnpmpublish": "7.5.0",
+  "workspaces/libnpmpublish": "7.5.1",
   "workspaces/libnpmsearch": "6.0.2",
   "workspaces/libnpmteam": "5.0.3",
   "workspaces/libnpmversion": "4.0.2",

AUTHORS

@@ -892,3 +892,4 @@ Rahul <122141535+rahulio96@users.noreply.github.com>
 AaronHamilton965 <91709196+AaronHamilton965@users.noreply.github.com>
 Fabian Vilers <fabian.vilers@dev-one.com>
 Yuku Kotani <yukukotani@gmail.com>
+Manuel Spigolon <behemoth89@gmail.com>

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [9.9.2](https://github.com/npm/cli/compare/v9.9.1...v9.9.2) (2023-11-14)
+
+### Bug Fixes
+
+* [`4c9a5e1`](https://github.com/npm/cli/commit/4c9a5e15cdb7195a0781d765997eab49ef759d36) [#6993](https://github.com/npm/cli/pull/6993) look in workspace for exec commands (#6993) (@wraithgar)
+* [`bb6f496`](https://github.com/npm/cli/commit/bb6f4960caebfefa81bfb82bbee2a54ff2b3a8b4) [#6992](https://github.com/npm/cli/pull/6992) correctly handle object licenses in SBOM generation (#6992) (@bdehamer, @jamietanna)
+* [`10db3ca`](https://github.com/npm/cli/commit/10db3ca830408721c3d1ed108a4f04d9135a0598) [#6990](https://github.com/npm/cli/pull/6990) pkg: properly output in workspace mode (#6990) (@wraithgar)
+
+### Documentation
+
+* [`6ab06d7`](https://github.com/npm/cli/commit/6ab06d7a86614abb9b296feb85864e86f178f97e) [#6985](https://github.com/npm/cli/pull/6985) update npm-prune description (#6985) (@Eomm)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/releases/tag/libnpmpublish-v7.5.1): `libnpmpublish@7.5.1`
+
 ## [9.9.1](https://github.com/npm/cli/compare/v9.9.0...v9.9.1) (2023-10-30)
 
 ### Bug Fixes

docs/lib/content/commands/npm-prune.md

@@ -16,10 +16,9 @@ then only packages matching one of the supplied names are removed.
 Extraneous packages are those present in the `node_modules` folder that are
 not listed as any package's dependency list.
 
-If the `--production` flag is specified or the `NODE_ENV` environment
+If the `--omit=dev` flag is specified or the `NODE_ENV` environment
 variable is set to `production`, this command will remove the packages
-specified in your `devDependencies`. Setting `--no-production` will negate
-`NODE_ENV` being set to `production`.
+specified in your `devDependencies`.
 
 If the `--dry-run` flag is used then no changes will actually be made.
 

lib/commands/exec.js

@@ -34,24 +34,33 @@ class Exec extends BaseCommand {
     for (const [name, path] of this.workspaces) {
       const locationMsg =
         `in workspace ${this.npm.chalk.green(name)} at location:\n${this.npm.chalk.dim(path)}`
-      await this.callExec(args, { locationMsg, runPath: path })
+      await this.callExec(args, { name, locationMsg, runPath: path })
     }
   }
 
-  async callExec (args, { locationMsg, runPath } = {}) {
-    // This is where libnpmexec will look for locally installed packages
+  async callExec (args, { name, locationMsg, runPath } = {}) {
+    // This is where libnpmexec will look for locally installed packages at the project level
     const localPrefix = this.npm.localPrefix
+    // This is where libnpmexec will look for locally installed packages at the workspace level
+    let localBin = this.npm.localBin
+    let path = localPrefix
 
     // This is where libnpmexec will actually run the scripts from
     if (!runPath) {
       runPath = process.cwd()
+    } else {
+      // We have to consider if the workspace has its own separate versions
+      // libnpmexec will walk up to localDir after looking here
+      localBin = resolve(this.npm.localDir, name, 'node_modules', '.bin')
+      // We also need to look for `bin` entries in the workspace package.json
+      // libnpmexec will NOT look in the project root for the bin entry
+      path = runPath
     }
 
     const call = this.npm.config.get('call')
     let globalPath
     const {
       flatOptions,
-      localBin,
       globalBin,
       globalDir,
       chalk,
@@ -79,14 +88,14 @@ class Exec extends BaseCommand {
       // copy args so they dont get mutated
       args: [...args],
       call,
-      localBin,
-      locationMsg,
+      chalk,
       globalBin,
       globalPath,
+      localBin,
+      locationMsg,
       output,
-      chalk,
       packages,
-      path: localPrefix,
+      path,
       runPath,
       scriptShell,
       yes,

lib/commands/pkg.js

@@ -82,10 +82,9 @@ class Pkg extends BaseCommand {
       }
     }
 
-    // only outputs if not running with workspaces config,
-    // in case you're retrieving info for workspaces the pkgWorkspaces
-    // will handle the output to make sure it get keyed by ws name
-    if (!this.npm.config.get('workspaces')) {
+    // only outputs if not running with workspaces config
+    // execWorkspaces will handle the output otherwise
+    if (!this.workspaces) {
       this.npm.output(JSON.stringify(result, null, 2))
     }
 

lib/utils/sbom-cyclonedx.js

@@ -86,7 +86,14 @@ const toCyclonedxItem = (node, { packageType }) => {
 
   let parsedLicense
   try {
-    parsedLicense = parseLicense(node.package?.license)
+    let license = node.package?.license
+    if (license) {
+      if (typeof license === 'object') {
+        license = license.type
+      }
+    }
+
+    parsedLicense = parseLicense(license)
   } catch (err) {
     parsedLicense = null
   }
@@ -152,7 +159,7 @@ const toCyclonedxItem = (node, { packageType }) => {
   // If license is a single SPDX license, use the license field
   if (parsedLicense?.license) {
     component.licenses = [{ license: { id: parsedLicense.license } }]
-  // If license is a conjunction, use the expression field
+    // If license is a conjunction, use the expression field
   } else if (parsedLicense?.conjunction) {
     component.licenses = [{ expression: node.package.license }]
   }

lib/utils/sbom-spdx.js

@@ -93,6 +93,13 @@ const toSpdxItem = (node, { packageType }) => {
     location = node.linksIn.values().next().value.location
   }
 
+  let license = node.package?.license
+  if (license) {
+    if (typeof license === 'object') {
+      license = license.type
+    }
+  }
+
   const pkg = {
     name: node.packageName,
     SPDXID: toSpdxID(node),
@@ -103,7 +110,7 @@ const toSpdxItem = (node, { packageType }) => {
     downloadLocation: (node.isLink ? undefined : node.resolved) || NO_ASSERTION,
     filesAnalyzed: false,
     homepage: node.package?.homepage || NO_ASSERTION,
-    licenseDeclared: node.package?.license || NO_ASSERTION,
+    licenseDeclared: license || NO_ASSERTION,
     externalRefs: [
       {
         referenceCategory: REF_CAT_PACKAGE_MANAGER,

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "npm",
-  "version": "9.9.1",
+  "version": "9.9.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "npm",
-      "version": "9.9.1",
+      "version": "9.9.2",
       "bundleDependencies": [
         "@isaacs/string-locale-compare",
         "@npmcli/arborist",
@@ -120,7 +120,7 @@
         "libnpmhook": "^9.0.3",
         "libnpmorg": "^5.0.4",
         "libnpmpack": "^5.0.20",
-        "libnpmpublish": "^7.5.0",
+        "libnpmpublish": "^7.5.1",
         "libnpmsearch": "^6.0.2",
         "libnpmteam": "^5.0.3",
         "libnpmversion": "^4.0.2",
@@ -16143,7 +16143,7 @@
       }
     },
     "workspaces/libnpmpublish": {
-      "version": "7.5.0",
+      "version": "7.5.1",
       "license": "ISC",
       "dependencies": {
         "ci-info": "^3.6.1",

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "9.9.1",
+  "version": "9.9.2",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -83,7 +83,7 @@
     "libnpmhook": "^9.0.3",
     "libnpmorg": "^5.0.4",
     "libnpmpack": "^5.0.20",
-    "libnpmpublish": "^7.5.0",
+    "libnpmpublish": "^7.5.1",
     "libnpmsearch": "^6.0.2",
     "libnpmteam": "^5.0.3",
     "libnpmversion": "^4.0.2",

tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs

@@ -912,6 +912,61 @@ exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - with license express
 }
 `
 
+exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - with license object > must match snapshot 1`] = `
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:00000000-0000-0000-0000-000000000000",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-01-01T00:00:00.000Z",
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "tools": [
+      {
+        "vendor": "npm",
+        "name": "cli",
+        "version": "10.0.0 "
+      }
+    ],
+    "component": {
+      "bom-ref": "root@1.0.0",
+      "type": "library",
+      "name": "root",
+      "version": "1.0.0",
+      "scope": "required",
+      "author": "Author",
+      "purl": "pkg:npm/root@1.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        }
+      ],
+      "externalReferences": [],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    }
+  },
+  "components": [],
+  "dependencies": [
+    {
+      "ref": "root@1.0.0",
+      "dependsOn": []
+    }
+  ]
+}
+`
+
 exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - with repository url > must match snapshot 1`] = `
 {
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",