Comments (7)
The node module should not be including devDependencies.
It relies on the read-installed module which excludes devDependencies by default.
cyclonedx-node-module/index.js
Line 155 in 70eab8e
https://www.npmjs.com/package/read-installed
When obtaining package info, the module will only obtain modules in the dependencies section.
cyclonedx-node-module/index.js
Line 67 in 70eab8e
If you're seeing devDependencies being included, please supply a package.json which can reproduce the problem.
from cyclonedx-node-module.
So, first did a "npm install --only=prod", and then generated bom. This included only dependencies.
Then I did a "npm install", and generated the bom again. This one includes dev dependencies like karma and protractor.
Here is the package.json file:
{
"name": "myproject",
"version": "0.1.0",
"scripts": {
"bom": "cyclonedx-bom -o bom.xml"
},
"private": true,
"dependencies": {
"@agm/core": "^1.0.0-beta.5",
"@angular/animations": "^6.0.3",
"@angular/common": "^6.0.3",
"@angular/compiler": "^6.0.3",
"@angular/core": "^6.0.3",
"@angular/forms": "^6.0.3",
"@angular/http": "^6.0.3",
"@angular/platform-browser": "^6.0.3",
"@angular/platform-browser-dynamic": "^6.0.3",
"@angular/router": "^6.0.3",
"@google/maps": "^0.5.5",
"@test/account": "dev-latest",
"@test/animations": "dev-latest",
"@test/http-interceptors": "dev-latest",
"@test/notifications": "dev-latest",
"@test/static-assets": "dev-latest",
"@progress/kendo-angular-buttons": "^4.0.0",
"@progress/kendo-angular-dateinputs": "2 - 3",
"@progress/kendo-angular-dialog": "^3.7.0",
"@progress/kendo-angular-dropdowns": "^3.4.2",
"@progress/kendo-angular-excel-export": "1 - 2",
"@progress/kendo-angular-grid": "^3.6.0",
"@progress/kendo-angular-inputs": "2 - 3",
"@progress/kendo-angular-intl": "^1.0.0",
"@progress/kendo-angular-l10n": "^1.3.0",
"@progress/kendo-angular-layout": "^3.1.0",
"@progress/kendo-angular-popup": "^2.0.0",
"@progress/kendo-angular-tooltip": "^1.1.2",
"@progress/kendo-data-query": "^1.0.0",
"@progress/kendo-drawing": "^1.0.0",
"@progress/kendo-theme-default": "latest",
"agm-direction": "^0.6.0",
"bootstrap": "^4.1.1",
"core-js": "^2.5.4",
"install": "^0.11.0",
"moment": "^2.22.2",
"npm": "^6.1.0",
"open-iconic": "^1.1.1",
"popper.js": "^1.14.3",
"rxjs": "^6.0.0",
"rxjs-compat": "^6.3.3",
"zone.js": "^0.8.26"
},
"devDependencies": {
"@angular-devkit/build-angular": "~0.6.0",
"@angular-devkit/build-ng-packagr": "~0.6.5",
"@angular/cli": "~6.0.0",
"@angular/compiler-cli": "^6.0.0",
"@angular/language-service": "^6.0.0",
"@types/googlemaps": "^3.30.11",
"@types/jasmine": "~2.8.6",
"@types/jasminewd2": "~2.0.3",
"@types/node": "~8.9.4",
"codelyzer": "~4.2.1",
"jasmine-core": "~2.99.1",
"jasmine-spec-reporter": "~4.2.1",
"karma": "~1.7.1",
"karma-chrome-launcher": "~2.2.0",
"karma-coverage-istanbul-reporter": "~1.4.2",
"karma-jasmine": "~1.1.1",
"karma-jasmine-html-reporter": "^0.2.2",
"ng-packagr": "^3.0.0-rc.2",
"protractor": "~5.3.0",
"ts-node": "~5.0.1",
"tsickle": ">=0.25.5",
"tslib": "^1.7.1",
"tslint": "~5.9.1",
"typescript": "~2.7.2",
"sonarqube-scanner": "^2.1.0"
}
}
@test are some internal modules
from cyclonedx-node-module.
Could you reproduce the case? thks
from cyclonedx-node-module.
@ruimda For what it's worth I ran into this issue and tried to diagnose it. So, read-installed traverses the node_modules folder to build the dependency tree and marks any devDependencies that exists in that folder as extraneous when using the dev: false
option which is the default.
I've created PR #13 to exclude extraneous packages which should resolve the issue.
from cyclonedx-node-module.
Thanks a lot. I will follow this closely
from cyclonedx-node-module.
0.2.5 was pushed which should solve this issue. Also included is an updated SPDX license list (v3.5). Please reopen if anyone experiences this problem going forward.
from cyclonedx-node-module.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from cyclonedx-node-module.
Related Issues (20)
- FF in license file throws error HOT 3
- Invalid or unexpected token in 3.4.1 HOT 2
- URL within ExternalReferences array can contain just a period if project is created by create-react-app
- No dependencies(dependency graph) in the generated bom HOT 1
- bump integration tests: use non-vulnerable components HOT 1
- [YARN] support yarn2/yarn3 HOT 1
- use CDX-JS lib for data models, serialization and everythig. HOT 2
- Question: Does it suffice to run npm install instead of ng build in order to generate the BOM for an Angular project? HOT 2
- chore: have check for license-text file-header
- split code in library and application part HOT 2
- [Yarn] First-use experience has some issues HOT 6
- Exception if #purl is not available HOT 5
- Conflicts between cyclonedx-node-module and cyclonedx-python commands HOT 2
- Is the last element in property "dependencies" meaning "direct dependencies"?
- There are no components in the bom HOT 6
- [PSA] ALTERNATIVES :exclamation: :mega: HOT 1
- Missing feature in Version 4 / cyclonedx-npm to inlcuse License text HOT 3
- "cyclonedx-bom: command not found" when installing [email protected] HOT 3
- SBOM can contain invalid URLs in externalReferences HOT 7
- yarn 3.6.1 lockfile issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-node-module.