Changelog

All notable changes to this project will be documented in this file.

unreleased

Fixed
- Type declarations for deprecated symbols support usage as types (#1350 via #1351)
Refactor
- Deprecated symbols turned from re-exports into re-declares (via #1351)
  Note: this change adds runtime overhead for the sake of documentation.

9.4.0 – 2025-12-02

Added
- New entry points for /Contrib and known submodules (via #1343)
  See package.json::exports for details.
Changes
- Moved non‑standard implementations to Contrib area (#1344 via #1343)
Deprecated
- Certain exports have been deprecated; downstream imports should be updated to the new locations (#1344 via #1343)
  Note: the symbols themselves remain supported. See documentation and the “Refactored” section below for details.
Refactor
- The following symbols were moved. (#1344 via #1343)
  The symbols are still import-able through their old location.
  - OLD -> NEW
  - Builders.FromNodePackageJson -> Contrib.FromNodePackageJson.Builders
  - Factories.FromNodePackageJson -> Contrib.FromNodePackageJson.Factories
  - Factories.LicenseFactory -> Contrib.License.Factories.LicenseFactory
  - Factories.PackageUrlFactory -> Contrib.PackageUrl.Factories.PackageUrlFactory
  - Types.assertNodePackageJson -> Contrib.FromNodePackageJson.Types.assertNodePackageJson
  - Types.isNodePackageJson -> Contrib.FromNodePackageJson.Types.isNodePackageJson
  - Types.NodePackageJson -> Contrib.FromNodePackageJson.Types.NodePackageJson
  - Utils.BomUtility -> Contrib.Bom.Utils
  - Utils.LicenseUtility -> Contrib.License.Utils
  - Utils.NpmjsUtility -> Contrib.FromNodePackageJson.Utils
Style
- Applied latest code style (via #1341)
Build
- Use webpack v5.103.0 now, was v5.102.1 (via #1340)

9.2.0 – 2025-10-22

Added
- Support CycloneDX 1.7 (#1325 via #1324)

9.1.0 – 2025-10-20

Dependencies
- Support optional peer dependency xmlbuilder2@^3.0.2||^4.0.0, was xmlbuilder2@^3.0.2 (via #1321)
Build
- Use TypeScript v5.9.3 now, was v5.9.2 (via #1308)
- Use webpack v5.102.0 now, was v5.101.3 (via #1309)

9.0.0 – 2025-09-15

BREAKING Changes
- Optional dependencies became optional peer dependencies (via #1295)
Added
- Give downstream users control over optional dependencies (#1294 via #1295)

8.6.0 – 2025-09-09

Changed
- Pulled SPDX license IDs v1.0-3.27.0 (via #1293)

8.5.1 – 2025-09-03

Build
- Use TypeScript v5.9.2 now, was v5.8.3 (via #1285)
- Use webpack v5.101.3 now, was v5.99.9 (via #1262, #1267, #1283)

8.5.0 – 2025-07-14

Added
- Public export types.NodePackageJson, which is the input type for various factories and builders (via #1263)

8.4.0 – 2025-06-16

Fixed
- Type exports for the web (via #1252)
Added
- New class Utils.LicenseUtility.LicenseEvidenceGatherer (#1162 via #1249)

8.3.0 – 2025-06-05

Added
- Pulled SPDX license IDs v1.0-3.26.0 (via #1248)

8.2.0 – 2025-06-05

Added
- factories.FromNodePackageJson.makeExternalReferences() supports “dist” field (#1247 via #1246)
- New symbols under utils.NpmjsUtility (via #1246)
  - defaultRegistryMatcher
  - parsePackageIntegrity

8.1.0 – 2025-06-04

Support for Node.js v24.

Dependencies
- Support libxmljs2@^0.35||^0.37, was @^0.35 (via #1243)
Build
- Use TypeScript v5.8.3 now, was v5.8.2 (via #1227)
- Use webpack v5.99.6 now, was v5.98.0 (via #1229, #1231)
Misc
- CI/CT: test also with Node.js v24 (via #1244)

8.0.0 – 2025-03-17

BREAKING Changes
- Dropped support for node<20.18.0 (#1081 via #1209)
Refactor
- Imports of built-in modules are prefixed with node: (#1198 via #1210)
Build
- Use TypeScript v5.8.2 now, was v5.7.2 (via #1204, #1217)
- Use webpack v5.98.0 now, was v5.97.1 (via #1213)

7.1.0 – 2025-01-09

Added
- New type Models.Copyright and class Models.CopyrightRepository (via #1202)
- New type Models.AttachmentContent (via #1202)
Changed
- Replace usage of internals Stringable & SortableStringables with public API (#1192 via #1202)
  This is considered a non-breaking change, as the types are not changed, but made publicly available.
Style
- Apply latest code style guide (via #1201)
Misc
- Support npm11 (#1191 via #1203)

7.0.0 – 2024-11-26

BREAKING changes
- Property Models.Bom.tools is an instance of Models.Tools now (#1152 via #1163)
  Before, it was an instance of Models.ToolRepository.
- Property Models.Vulnerability.tools is an instance of Models.Tools now (via #1163)
  Before, it was an instance of Models.ToolRepository.
Added
- Static function Models.Tool.fromComponent() (via #1163)
- Static function Models.Tool.fromService() (via #1163)
- New class Models.Tools (#1152 via #1163)
- New serialization/normalization for Models.Tools (#1152 via #1163, #1180)
Changed
- Serializers and Bom-Normalizers will take changed Models.Bom.tools into account (#1152 via #1163)
- Serializers and Vulnerability-Normalizers will take changed Models.Vulnerability.tools into account (via #1163)
Style
- Apply latest code style guide (via #1170, #1181)
Dependencies
- Support libxmljs2@^0.35 (via #1173)
- Use packageurl-js@^2.0.1, was @>=0.0.6 <0.0.8 || ^1 (via #1142)
Build
- Use TypeScript v5.7.2 now, was v5.6.3 (via #1182)

6.13.1 – 2024-12-22

Dependencies
- Support libxmljs2@^0.35 (via #1196)

6.13.0 – 2024-11-18

Added
- Support CycloneDX 1.6.1 (#1176 via #1177)

6.12.0 – 2024-11-12

Added
- Support for services (#1164 via #1165)
- New class Models.Service (#1164 via #1165)
- New class Models.ServiceRepository (#1164 via #1165)
- Class Models.Bom got new property services (#1164 via #1165)
- Serializers and Bom-Normalizers will take Models.Bom.services into account (#1164 via #1165)
Build
- Use webpack v5.96.1 now, was v.95.0 (via #1159)

6.11.1 – 2024-10-24

Fixed
- Encode quotation marks in URLs (#1154 via #1155)
Build
- Use TypeScript v5.6.3 now, was v5.5.3 (via #1130, #1144, #1150)
- Use webpack v5.95.0 now, was v5.93.0 (via #1138, #1147)

6.11.0 – 2024-07-15

Changed
- Factories.FromNodePackageJson.ExternalReferenceFactory.makeVcs() tries to canonicalize git-URLs (#1119 via #1120)
Fixed
- Improved URL sanitizer (via #1121)
Build
- Use webpack v5.93.0 now, was v5.92.1 (via #1122)

6.10.1 – 2024-07-03

Fixed
- XML: properly handle normalizedString & token (#1098 via #1116)
Build
- Use TypeScript v5.5.3 now, was v5.4.5 (via #1108)
- Use webpack v5.92.1 now, was v5.91.0 (via #1091, #1094)

6.10.0 – 2024-06-06

Changed
- Existing Serialize.XmlSerializer.serialize() for Node.js may throw Serialize.MissingOptionalDependencyError (via #1084)
  This is considered a non-breaking change, as the docs always told that any Error may be thrown.
- Improved the verbose error messages when a functionality failed due to absence of optional/pluggable dependency.
Added
- New class Serialize.MissingOptionalDependencyError (via #1084)
Misc
- Refactored functionality around optional/pluggable dependencies (via #1083, #1084)
  This was done in preparation for #1079.

6.9.5 – 2024-05-23

Maintenance release.

Chore
- The package will be published to GitHub package registry, too. (#1026 via #1078)

6.9.0 – 2024-05-23

Changed
- Updated SPDX license list to v3.24.0 (via #1077)

6.8.2 – 2024-05-21

Fixed
- Added Factories.PackageUrlFactory‘s generic type’s default back in (via #1076)

6.8.1 – 2024-05-21

Fixed
- Hardened Factories.FromNodePackageJson.PackageUrlFactory‘s default package repository detection (#1073 via #1074)

6.8.0 – 2024-05-14

Added
- Explicitly export own first-level submodules via package manifest (#87 via #1066)
  When used with bundlers/packers downstream, this might enable better tree shaking due to scoped imports.
Refactor
- Ease internal tree shaking (via #1066)

6.7.2 – 2024-05-07

Changed
- The provided XML validation capabilities were explicitly hardened (via #1064; concerns #1061)
  This is considered a security measure concerning XML external entity (XXE) injection.

6.7.1 – 2024-05-07

Reverted v6.7.0, back to v6.6.1
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

6.7.0 – 2024-05-07

!! THIS VERSION GOT YANKED !!
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

Changed
- The provided XML validation capabilities no longer supports external entities (via #1063; concerns #1061)
  This is considered a security measure to prevent XML external entity (XXE) injection.

6.6.1 – 2024-05-06

Fixed
- JSON validator allow arbitrary $schema (#1059 via #1060)

6.6.0 – 2024-04-26

Changed
- Serializers and License-Normalizers will take license acknowledgement into account (#1051 via #1052)
Added
- Namespace Enums
  - New enum LicenseAcknowledgement (#1051 via #1052)
- Namespace Models
  - Class LicenseExpression got new property acknowledgement (#1051 via #1052)
  - Class NamedLicense got new property acknowledgement (#1051 via #1052)
  - Class SpdxLicense got new property acknowledgement (#1051 via #1052)

6.5.1 – 2024-04-16

Dependencies
- Bumped the range of optional requirement ajv-formats to ^3.0.1, was ^2.1.1 (via #1037)
  This should fix JSON-validation for time/date.

6.5.0 – 2024-04-11

Added support for *CycloneDX* Specification-1.6.

Changed
- Normalizers support CycloneDX Specification-1.6 (#1039 via #1041)
- Validators support CycloneDX Specification-1.6 (#1039 via #1041)
Added
- Existing Enums got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)
  - Enums.ComponentType.CryptographicAsset
  - Enums.ExternalReferenceType.SourceDistribution
  - Enums.ExternalReferenceType.ElectronicSignature
  - Enums.ExternalReferenceType.DigitalSignature
  - Enums.ExternalReferenceType.RFC9116
- Namespace Spec was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)
  - New const Spec.Spec1dot6
  - New enum member Spec.Version.v1dot6
Build
- Use TypeScript v5.4.5 now, was v5.4.3 (via #1040)

6.4.2 – 2024-03-21

Build
- Use TypeScript v5.4.3 now, was v5.4.2 (via #1030)
- Use webpack v5.91.0 now, was v5.90.3 (via #1031)

6.4.1 – 2024-03-18

Documentation
- Rendered (API) docs are hosted on readthedocs (#1027 via #1028)
Build
- Use TypeScript v5.4.2 now, was v5.3.3 (via #1021)

6.4.0 – 2024-02-26

Added
- Class Models.Metadata got a new property licenses (#1019 via #1020)
- Class Models.Metadata got a new property properties (#1019 via #1020)

6.3.2 – 2024-02-25

Refactor
- Removed dynamic imports in Node.js-specific XML serializer lookup (#1017 via #1018)
  This should improve compatibility with linkers and bundlers.
Build
- Use webpack v5.90.3 now, was v5.89.0 (via #1008, #1013, #1015)

6.3.1 – 2023-12-11

Maintenance release

6.3.0 – 2023-12-11

Dependencies
- Widened optional dependency libxmljs2@^0.31||^0.32||^0.33, was @^0.31||^0.32 (via #1001)

6.2.0 – 2023-12-11

Changed
- Serialization/normalization guarantees valid URI values (#992 via #996)

6.1.3 – 2023-12-09

Fixed
- Possible bug in XML serialization of undefined children (via #1000)
Build
- Use TypeScript v5.3.3 now, was v5.3.2 (via #999)

6.1.2 – 2023-12-02

Maintenance release.

Misc
- Widened dependency spdx-expression-parse@^3.0.1||^4, was @^3.0.1 (via #993)
- CI/CT: test also with Node.js v21 (via #995)

6.1.1 – 2023-12-01

Maintenance release.

Style
- Apply latest code style guide (via #988, #990)
Build
- Use TypeScript v5.3.2 now, was v5.2.2 (via #990)
- Use ts-loader v9.5.1 now, was v9.5.0 (via #990)

6.1.0 – 2023-11-05

Added
- Class Models.ExternalReference got a new property hashes (#984 via #985)
- Serializers and ExternalReference-Normalizers will take Models.ExternalReference.hashes into account (#984 via #985)
Build
- Use webpack v5.89.0 now, was v5.88.2 (via #979)
- Use ts-loader v9.5.0 now, was v9.4.4 (via #977)

6.0.0 – 2023-08-26

BREAKING
- Interface Spec.Protocol was removed from public API (#957 via #958)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
  This change was necessary, so that implementing more spec-features cause no breaking changes.
Build
- Use TypeScript v5.2.2 now, was v5.1.6 (via #966)

5.0.0 – 2023-08-16

BREAKING
- Interface Spec.Protocol now defines new mandatory methods (via #946)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Added
- New enum Enums.Lifecycle with corresponding values from CycloneDX Specification-1.5 (#937 via #946)
- New class Models.NamedLifecycle (#937 via #946)
- New class Models.LifecycleRepository (#937 via #946)
- Class Models.Metadata got a new property lifecycles (#937 via #946)
- Serializers and Metadata-Normalizers will take Models.Metadata.lifecycles into account (#937 via #946)
Build
- Use webpack v5.88.2 now, was v5.88.1 (via #933)

4.0.0 – 2023-07-05

BREAKING
- Usage of this library in web browsers might no longer work out of the box (via #880)
  It might require a bundler/packer for web; see the examples/web/.
  This is only a breaking change if you used this library in a web browser.
Fixed
- Properly exclude external packages when preparing this library for web browsers (#883 via #880)
Examples
- Adjusted and extended examples for usage in web browsers (#883 via #880)
  Removed outdated examples/web/*, added examples/web/parcel & examples/web/webpack.
- Added examples for usage of CDX.Factories.PackageUrlFactory (via #882, #886)
Build
- Use TypeScript v5.1.6 now, was v5.1.5 (via #866)
- Use webpack v5.88.1 now, was v5.88.0 (via #870)
- Apply wider rules for externals in webpack build (#883 via #880)

3.0.0 – 2023-06-28

Added support for *CycloneDX* Specification-1.5.
Added functionality regarding *CycloneDX* BOM-Link.

BREAKING
- Interface Spec.Protocol now defines new mandatory methods (via #843)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
- Normalizers support CycloneDX Specification-1.5 (#505 via #843)
- Validators support CycloneDX Specification-1.5 (#505 via #843)
- Some models’ properties were widened to support CycloneDX BOM-Link (via #856)
Added
- Existing Enums got the new members and values for CycloneDX Specification-1.5 (#505 via #843)
- Namespace Spec was enhanced for CycloneDX Specification-1.5 (#505 via #843)
- Dedicated classes and types for CycloneDX BOM-Link (via #843, #856, #857)

API changes v3 - the details

BREAKING
- Interface Spec.Protocol now defines a new mandatory method supportsVulnerabilityRatingMethod() (via #843)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
- Namespace Models
  - Method BomRef.compare() accepts every stringable now, was Models.BomRef only (via #856)
  - Class ExternalReference‘s property url also accepts BomLink now, was URL|string only (via #856)
  - Class Vulnerability.Affect‘s property ref also accepts BomLinkElement now, was BomRef only (via #856)
- Namespace Serialize.{JSON,XML}.Normalize
  - All classes support CycloneDX Specification-1.5 now (#505 via #843)
  - Methods VulnerabilityRatingNormalizer.normalize() omit unsupported values for Models.Vulnerability.Rating.method (via #843)
    This utilizes the new method Spec.Protocol.supportsVulnerabilityRatingMethod().
- Namespace Validation
  - Classes {Json,JsonStrict,Xml}Validator support CycloneDX Specification-1.5 now (#505 via #843)
Added
- Namespace Enums
  - Enum ComponentType got new members (#505 via #843)
    New: Data, DeviceDriver, MachineLearningModel, Platform
  - Enum ExternalReferenceType got new members (#505 via #843)
    New: AdversaryModel, Attestation, CertificationReport, CodifiedInfrastructure, ComponentAnalysisReport, Configuration, DistributionIntake, DynamicAnalysisReport, Evidence, ExploitabilityStatement, Formulation, Log, MaturityReport, ModelCard, POAM, PentestReport, QualityMetrics, RiskAssessment, RuntimeAnalysisReport, SecurityContact, StaticAnalysisReport, ThreatModel, VulnerabilityAssertion
  - Enum Vulnerability.RatingMethod got new members (#505 via #843)
    New: CVSSv4, SSVC
- Namespace Models
  - New classes BomLinkDocument and BomLinkDocument to represent CycloneDX BOM-Link (via #843, #856, #857)
  - New type BomLink to represent CycloneDX BOM-Link (via #843, #856)
- Namespace Spec
  - Enum Version got new member v1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
  - Constant SpecVersionDict got new entry to reflect CycloneDX Specification-1.5 (#505 via #843)
  - New constant Spec1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
  - Constants Spec1dot{2,3,4} got a new method supportsVulnerabilityRatingMethod() (via #843)
  - Interface Protocol has a new method supportsVulnerabilityRatingMethod() (via #843)
Misc
- Added functional and integration tests for CycloneDX Specification-1.5 (#505 via #843)
- Added unit tests for CycloneDX BOM-Link (via #843, #856)
- Fetched latest stable schema definition files for offline usage (via #843)
- Improved internal documentation (via #856)
Build
- Use TypeScript v5.1.5 now, was v5.1.3 (via #860)
- Use webpack v5.88.0 now, was v5.86.0 (via #841)

2.1.0 – 2023-06-10

Changed
- Classes Serialize.Xml.Normalize.Vulnerability*Normalizer are now public available (via #816)
  Previously, only instances were available via Serialize.Xml.Normalize.Factory.makeForVulnerability*().
Build
- Use TypeScript v5.1.3 now, was v5.0.4 (via #790)
- Use webpack v5.86.0 now, was v5.82.1 (via #802)

2.0.0 – 2023-05-17

Improved license detection.
Finished Vulnerability capabilities.
Added ComponentEvidence capabilities.

BREAKING
- Method Factories.LicenseFactory.makeFromString() was changed in its behavior (#271, #530 via #547)
  It will try to create Models.SpdxLicense if value is eligible, else try to create Models.LicenseExpression if value is eligible, else fall back to Models.NamedLicense.
- Revisited sort and compare:
  - Methods Models.*.compare() may return different numbers than before.
  - Methods Models.*.sorted() may return different orders than before.
- Removed deprecated symbols (#747 via #752)
Changed
- Removed beta state from symbols {Enums,Models}.Vulnerability.* (#164 via #722)
  The structures are defined as stable now.
- Some property/parameter types were widened, enabling the use of Buffer and other data-saving mechanisms (#406, #516 via #753)
Added
- New data models and serialization/normalization for Models.ComponentEvidence (#516 via #753)
- Serializers and Component-Normalizers will take Models.Component.evidence into account (#516 via #753)
- Serializers and Bom-Normalizers will take Models.Bom.vulnerabilities into account (#164 via #722)
Misc
- Internal rework, modernization, refactoring

API changes v2 - the details

BREAKING
- Class Factories.LicenseFactory was modified
  - Renamed method makeDisjunctiveWithId() -> makeSpdxLicense() (#530 via #547)
  - Renamed method makeDisjunctiveWithName() -> makeNamedLicense() (#530 via #547)
- Class Models.LicenseExpression was modified
  - Removed static function isEligibleExpression() (via #547)
    Use Spdx.isValidSpdxLicenseExpression() instead.
  - Constructor no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
  - Property expression setter no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
- Class Models.SpdxLicense was modified
  - Constructor no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
  - Property id setter no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
- Interface Spec.Protocol now defines a new mandatory property supportsComponentEvidence:boolean (via #753)
- Interface Spec.Protocol now defines a new mandatory property supportsVulnerabilities:boolean (via #722)
- Removed deprecated symbols (#747 via #752)
  - Namespaces {Builders,Factories}.FromPackageJson were removed.
    You may use {Builders,Factories}.FromNodePackageJson instead.
  - Class Models.HashRepository was removed.
    You may use Models.HashDictionary instead.
  - Methods Serialize.{Json,Xml}.Normalize.*.normalizeRepository() were removed.
    You may use Serialize.{Json,Xml}.Normalize.*.normalizeIterable() instead
  - Type alias Types.UrnUuid was removed.
    You may use string instead.
  - Type predicate Types.isUrnUuid() was removed.
Changed
- Class Models.Attachment was modified
  - Property content was widened to be any stringable, was string (#406, #516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
- Class Models.Component was modified
  - Property copyright was widened to be any stringable, was string (#406, #516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
- Class Models.Vulnerability.Credits was modified
  - Property organizations is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.
  - Property individuals is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.
Added
- Namespace Models was enhanced
  - Class Component was enhanced
    - New optional property evidence of type Models.ComponentEvidence (#516 via #753)
  - New Class ComponentEvidence (#516 via #753)
  - Namespace Vulnerability was enhanced
    - Class Advisory was enhanced
      - New method compare() (via #722)
    - Class AdvisoryRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class Affect was enhanced
      - New method compare() (via #722)
    - Class AffectRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class AffectedSingleVersion was enhanced
      - New method compare() (via #722)
    - Class AffectedVersionRange was enhanced
      - New method compare() (via #722)
    - Class AffectedVersionRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class Rating was enhanced
      - New method compare() (via #722)
    - Class RatingRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - class Reference was enhanced
      - New method compare() (via #722)
    - Class ReferenceRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - class Source was enhanced
      - New method compare() (via #722)
    - class Vulnerability was enhanced
      - New method compare() (via #722)
    - Class VulnerabilityRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
- Namespaces Serialize.{Json,Xml}.Normalize were enhanced
  - Class Factory was enhanced
    - New Method makeForComponentEvidence() (#516 via #753)
    - New method makeForVulnerability() (#164 via #722)
    - New method makeForVulnerabilitySource() (#164 via #722)
    - New method makeForVulnerabilityReference() (#164 via #722)
    - New method makeForVulnerabilityRating (#164 via #722)
    - New method makeForVulnerabilityAdvisory (#164 via #722)
    - New method makeForVulnerabilityCredits (#164 via #722)
    - New method makeForVulnerabilityAffect (#164 via #722)
    - New method makeForVulnerabilityAffectedVersion (#164 via #722)
    - New method makeForVulnerabilityAnalysis (#164 via #722)
  - New class ComponentEvidenceNormalizer (#516 via #753)
  - Class OrganizationalEntityNormalizer was enhanced
    - New method normalizeIterable() (via #722)
  - New class VulnerabilityNormalizer (#164 via #722)
  - New class VulnerabilityAdvisoryNormalizer (#164 via #722)
  - New class VulnerabilityAffectNormalizer (#164 via #722)
  - New class VulnerabilityAffectedVersionNormalizer (#164 via #722)
  - New class VulnerabilityAnalysisNormalizer (#164 via #722)
  - New class VulnerabilityCreditsNormalizer (#164 via #722)
  - New class VulnerabilityRatingNormalizer (#164 via #722)
  - New class VulnerabilityReferenceNormalizer (#164 via #722)
  - New class VulnerabilitySourceNormalizer (#164 via #722)
- Namespace Spec
  - Constants Spec1dot{2,3,4} were enhanced
    - New property supportsComponentEvidence:boolean (via #753)
    - New property supportsVulnerabilities:boolean (via #722)
- Namespace Spdx was enhanced
  - New function isValidSpdxLicenseExpression() (#271 via #547)
Misc
- Added dependency spdx-expression-parse@^3.0.1 (via #547)

1.14.0 – 2023-04-25

Added
- Formal validators for JSON string and XML string (#620 via #652, #691)
  Currently available only for Node.js. Requires optional dependencies.
  - Related new validator classes:
    - Validation.JsonValidator
    - Validation.JsonStrictValidator
    - Validation.XmlValidator
  - Related new error classes:
    - Validation.NotImplementedError
    - Validation.MissingOptionalDependencyError
Build
- Use TypeScript v5.0.4 now, was v4.9.5 (#549 via #644)
- Use webpack v5.80.0 now, was v5.79.0 (via #686)

1.13.3 - 2023-04-05

Fixed
- Serialize.{JSON,XML}.Normalize.LicenseNormalizer.normalizeIterable() now omits invalid license combinations (#602 via #623)
  If there is any Models.LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.
Docs
- Fixed link to CycloneDX-specification in README (via #617)

1.13.2 - 2023-03-29

Fixed
- Builders.FromNodePackageJson.ComponentBuilder no longer cuts component’s name after a slash(/) (#599 via #600)

1.13.1 - 2023-03-28

Docs
- Announce and annotate the generator for BOM’s SerialNumber (#588 via #598)

1.13.0 - 2023-03-28

Fixed
- “Bom.serialNumber” data model can have values following the alternative format allowed in CycloneDX XML specification (#588 via #597)
- Serialize.{JSON,XML}.Normalize.BomNormalizer.normalize now omits invalid/unsupported values for serialNumber (#588 via #597)
Changed
- Property Models.Bom.serialNumber is of type string, was type-aliased Types.UrnUuid = string (#588 via #597)
  Also, the setter no longer throws exceptions, since no string format is illegal.
  This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
Added
- Published generator for BOM’s SerialNumber: Utils.BomUtility.randomSerialNumber() (#588 via #597)
  The code was donated from cyclonedx-node-npm.
Deprecation
- Type alias Types.UrnUuid = string became deprecated (via #597)
  Use type string instead.
- Function Types.isUrnUuid became deprecated (via #597)

1.12.2 - 2023-03-28

Fixed
- Digesting this library in TypeScript build with ECMA Script module results works as expected, now (via #596)
Docs
- Development-docs are no longer packed with releases (via #572)
Misc
- Added more integration tests in CI (via #596)

1.12.1 - 2023-03-13

Maintenance release.

1.12.0 - 2023-03-02

Docs
- Made it clear, that {Builders,Factories}.{FromNodePackageJson,FromPackageJson}.* functionality is to be run on already normalized structures (#517 via #518)
  Normalization should be done downstream, for example via ``normalize-package-data` <https://www.npmjs.com/package/normalize-package-data>`_.

1.11.0 - 2023-02-02

Added
- New vulnerability-related enums were added in a new namespace Enums.Vulnerability (#164 via #419)
  Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.
  - AffectStatus
  - AnalysisJustification
  - AnalysisResponse
  - AnalysisState
  - RatingMethod
  - Severity
- New vulnerability-related models were added in a new namespace Models.Vulnerability (#164 via #419)
  Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
  Attention: The models are not yet supported by shipped serializers nor shipped normalizers.
  - Advisory, AdvisoryRepository
  - Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
  - Analysis
  - Credits
  - Rating, RatingRepository
  - Reference, ReferenceRepository
  - Source
  - Vulnerability, VulnerabilityRepository
- New class Models.OrganizationalEntityRepository to represent a collection of Models.OrganizationalEntity (via #419)
  Additionally, Models.OrganizationalEntity.compare() was implemented.
- New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
  Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.
  - type Types.CWE
  - runtime validation Types.isCWE()
  - class Types.CweRepository
Docs
- Use TSDoc syntax in TypeScript files, instead of JSDoc (via #318, #453)
Build
- Use TypeScript v4.9.5 now, was v4.9.4 (via #463)
Misc
- Added tests for internal helpers (via #454)
- Use eslint-config-standard-with-typescript@34.0.0 now, was 33.0.0 (via #460)

1.10.0 - 2023-01-28

Added
- Typing: Interfaces of models’ optional properties are now public API (#439 via #440)
- Ship TypeDoc configuration, so that users can build the documentation on demand (#57 via #436)
Fixed
- XML serializer now properly throws UnsupportedFormatError if it is unsupported by the supplied Spec (via #438)
Misc
- Added tests for internal helpers (via #431)
- Added more internal sortable data types (via #165)
- Fixed type hints in internals (via #432)
- Fixed type refs and links in doc-strings (via #437)
- Slightly improved performance of compare methods when reproducible results were needed (via #433)
- Use eslint-config-standard-with-typescript@33.0.0 now, was 23.0.0 (via #382, #423, #445)

1.9.2 - 2022-12-16

Maintenance release.

Docs
- Fix CI/CT shield (badges/shields#8671 via #371)

1.9.1 - 2022-12-10

Maintenance release.

Build
- Use TypeScript v4.9.4 now, was v4.9.3 (via #360)

1.9.0 - 2022-11-19

Changed
- Widened the accepted types for first parameter of all normalizeIterable methods (via #317)
Build
- Use TypeScript v4.9.3 now, was v4.8.4 (via #335)

1.8.0 - 2022-10-31

Added
- Enabled detection for node-package manifest’s deprecated licenses format in the node-specific builders (#308 via #309)

1.7.0 - 2022-10-25

Changed
- Shipped TypeScript declarations are usable by TypeScript v3.8 and above now (#291 via #292) Previously the source code was abused as type declarations, so they required a certain version of TypeScript 4.

1.6.0 - 2022-09-31

Changed
- Removed synthetic default imports im TypeScript sources (via #243)
  The resulting JavaScript did not change in functionality.
  Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile with allowSyntheticDefaultImports enabled.
Added
- Documentation and example regarding dependency tree modelling were added in multiple places (via #250)
Build
- No longer enable TypeScript config esModuleInterop & allowSyntheticDefaultImports (via #243)
- Use TypeScript v4.8.4 now, was v4.8.3 (via #246)

1.5.1 - 2022-09-17

Deprecated
- The normalizer methods normalizeRepository will be known as normalizeIterable (via #230)

1.5.0 - 2022-09-17

Deprecated
- The class HashRepository will be known as HashDictionary (via #229)

1.4.2 - 2022-09-10

Maintenance release.

Build
- Use TypeScript v4.8.3 now, was v4.8.2 (via #212)

1.4.1 - 2022-09-09

Maintenance release.

Misc
- Style: imports are sorted, now (via #208)
Dependencies
- Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8 || ^1, was >=0.0.6 <0.0.8 (via #210)

1.4.0 - 2022-09-07

Added
- New class Factories.FromNodePackageJson.PackageUrlFactory that acts like Factories.PackageUrlFactory, but omits PackageUrl’s npm-specific “default derived” qualifier values for download_url & vcs_url (#204 via #207)
Build
- Use TypeScript v4.8.2 now, was v4.7.4 (via #190)

1.3.4 - 2022-08-16

Fixed
- Factories.PackageUrlFactory omits empty-string URLs for PackageUrl’s qualifiers download_url & vcs_url (via #180)

1.3.3 - 2022-08-16

Fixed
- Improved omission of invalid anyURI when it comes to XML-normalization (#178 via #179)

1.3.2 - 2022-08-15

Fixed
- Serializers render bom-ref values of nested components as unique values, as expected (#175 via #176)
Misc
- Style: improved readability of constructor parameter types (via #166)

1.3.1 - 2022-08-04

Fixed
- JSON- and XML-Normalizer no longer render Models.Component.properties with *CycloneDX* Specification-1.2 (#152 via #153)
- XML-Normalizer now has the correct order/position of rendered Models.Component.properties (via #153)

1.3.0 - 2022-08-03

Changed
- Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation (via #150)
- Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
Added
- Models for Property and PropertyRepository (via #151)
- JSON- and XML-Normalizer for Models.Property, Models.PropertyRepository (via #151)
- New property Models.Component.properties (via #151)
Build
- Use webpack v5.74.0. now, was v5.73.0 (via #141)

1.2.0 - 2022-08-01

Added
- New getters/properties that represent the corresponding parameters of class constructor (via #145)
  - Builders.FromPackageJson.ComponentBuilder.extRefFactory,
    Builders.FromPackageJson.ComponentBuilder.licenseFactory
  - Builders.FromPackageJson.ToolBuilder.extRefFactory
  - Factories.PackageUrlFactory.type
  - Serialize.BomRefDiscriminator.prefix
  - Serialize.JsonSerializer.normalizerFactory
  - Serialize.XmlBaseSerializer.normalizerFactory,
    Serialize.XmlSerializer.normalizerFactory
- Factory for PackageURL from Models.Component can handle additional data sources, now (via #146)
  - Models.Component.hashes map -> PackageURL.qualifiers.checksum list
  - Models.Component.externalReferences[distribution].url -> PackageURL.qualifiers.download_url
  - Method Factories.PackageUrlFactory.makeFromComponent() got a new optional parameter sort, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
    This feature switch is related to reproducible builds.
Deprecated
- The sub-namespace FromPackageJson will be known as FromNodePackageJson (via #148)
  - Factories.FromPackageJson -> Factories.FromNodePackageJson
  - Builders.FromPackageJson -> Builders.FromNodePackageJson

1.1.0 - 2022-07-29

Added
- Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering (#132 via #136)
- *CycloneDX* Specification-1.4 made element Models.Component.version optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty (via #137, #138)

1.0.3 - 2022-07-28

Fixed
- Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected (via #134)

1.0.2 - 2022-07-26

Maintenance release.

Dependencies
- Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7 (#130 via #131)

1.0.1 - 2022-07-23

Maintenance release.

Build
- Use TypeScript v4.7.4 now, was v4.6.4 (via #55)
Dependencies
- Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6 (via #123)

1.0.0 - 2022-06-20

Initial release.

Responsibilities
- Provide a general purpose JavaScript-implementation of *CycloneDX* for Node.js and WebBrowsers.
- Provide typing for said implementation, so developers and dev-tools can rely on it.
- Provide data models to work with CycloneDX.
- Provide a JSON- and an XML-normalizer, that…
  - supports all shipped data models.
  - respects any injected *CycloneDX* Specification and generates valid output according to it.
  - can be configured to generate reproducible/deterministic output.
  - can prepare data structures for JSON- and XML-serialization.
- Serialization:
  - Provide a universal JSON-serializer for all target environments.
  - Provide an XML-serializer for all target environments.
  - Support the downstream implementation of custom XML-serializers tailored to specific environments
    by providing an abstract base class that takes care of normalization and BomRef-discrimination.
    This is done, because there is no universal XML support in JavaScript.
Capabilities & Features
- Enums for the following use cases:
  - AttachmentEncoding
  - ComponentScope
  - ComponentType
  - ExternalReferenceType
  - HashAlgorithm
- Data models for the following use cases:
  - Attachment
  - Bom
  - BomRef, BomRefRepository
  - Component, ComponentRepository
  - ExternalReference, ExternalReferenceRepository
  - HashContent, Hash, HashRepository
  - LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
  - Metadata
  - OrganizationalContact, OrganizationalContactRepository
  - OrganizationalEntity
  - SWID
  - Tool, ToolRepository
- Factories for the following use cases:
  - Create data models from any license descriptor string
  - Specific to Node.js: create data models from PackageJson-like data structures
- Builders for the following use cases:
  - Specific to Node.js: create deep data models from PackageJson-like data structures
- Implementation of the *CycloneDX* Specification for the following versions:
  - 1.4
  - 1.3
  - 1.2
- Normalizers that convert data models to JSON structures
- Normalizers that convert data models to XML structures
- Universal serializer that converts Bom data models to JSON string
- Serializer that converts Bom data models to XML string:
  - Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
  - Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
    - xmlbuilder2