6.8.1

Fixed

• Hardened Factories.FromNodePackageJson.PackageUrlFactory's default package repository detection (#1073 via #1074)

---

What's Changed

• chore(deps-dev): bump npm-run-all2 from 5.0.2 to 6.1.2 by @dependabot in #1071
• fix: hardenFactories.FromNodePackageJson.PackageUrlFactory's default package repository detection by @jkowalleck in #1074

Full Changelog: v6.8.0...v6.8.1

6.8.0

Added

• Explicitly export own first-level submodules via package manifest (#87 via #1066)
  When used with bundlers/packers downstream, this might enable better tree shaking due to scoped imports.

Refactor

• Ease internal tree shaking (via #1066)

---

What's Changed

• feat: NodeJS exports submodules as subpaths by @jkowalleck in #1066
• chore: modernize npm-run-all by @jkowalleck in #1069
• chore(deps) bumped some dev-deps by @jkowalleck in #1067
• chore: use rimraf instead of own by @jkowalleck in #1068

Full Changelog: v6.7.2...v6.8.0

6.7.2

Changed

• The provided XML validation capabilities were explicitly hardened (via #1064; concerns #1061)
  This is considered a security measure concerning XML external entity (XXE) injection.

---

What's Changed

• refactor: XML validator explicitely harden against XXE injections by @jkowalleck in #1064

Full Changelog: v6.7.1...v6.7.2

6.7.1

Security Fixes

This release contains a security fix for the following CVE GHSA-38gf-rh2w-gmj7.

(Release v6.7.0 got yanked for security reasons, and should not be used. Please upgrade to ^6.7.1)

Changed

Reverted v6.7.0, back to v6.6.1 -- fixes SecurityAdvisory GHSA-38gf-rh2w-gmj7

---

What's Changed

Full Changelog: v6.6.1...v6.7.1

6.6.1

Fixed

• JSON validator allow arbitrary $schema (#1059 via #1060)

---

What's Changed

• ci: modernize artifact action by @jkowalleck in #1056
• chore: test node22 by @jkowalleck in #1057
• fix: JsvonValidator allow arbitrary $schema by @jkowalleck in #1060

Full Changelog: v6.6.0...v6.6.1

6.6.0

Changed

• Serializers and License-Normalizers will take license acknowledgement into account (#1051 via #1052)

Added

• Namespace Enums
  • New enum LicenseAcknowledgement (#1051 via #1052)
• Namespace Models
  • Class LicenseExpression got new property acknowledgement (#1051 via #1052)
  • Class NamedLicense got new property acknowledgement (#1051 via #1052)
  • Class SpdxLicense got new property acknowledgement (#1051 via #1052)

---

What's Changed

• feat: license acknowledgement by @jkowalleck in #1052

Full Changelog: v6.5.1...v6.6.0

6.5.1

• Dependencies
  • Bumped the range of optional requirement ajv-formats to ^3.0.1, was ^2.1.1 (via #1037)
    This should fix JSON-validation for time/date.

---

What's Changed

• chore: add editorconfig checks to eslint by @jkowalleck in #1043
• Chore/migtate from eslint config standard with typescript to eslint config love by @jkowalleck in #1045
• chore: add the transitive peer dependencies by @jkowalleck in #1047
• chore(deps): bump ajv-formats from 2.1.1 to 3.0.1 in the ajv group by @dependabot in #1037

Full Changelog: v6.5.0...v6.5.1

6.5.0

Added support for CycloneDX Specification-1.6.

Changed

• Normalizers support CycloneDX Specification-1.6 (#1039 via #1041)
• Validators support CycloneDX Specification-1.6 (#1039 via #1041)

Added

• Existing Enums got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)
  • Enums.ComponentType.CryptographicAsset
  • Enums.ExternalReferenceType.SourceDistribution
  • Enums.ExternalReferenceType.ElectronicSignature
  • Enums.ExternalReferenceType.DigitalSignature
  • Enums.ExternalReferenceType.RFC9116
• Namespace Spec was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)
  • New const Spec.Spec1dot6
  • New enum member Spec.Version.v1dot6

Build

• Use TypeScript v5.4.5 now, was v5.4.3 (via #1040)

---

What's Changed

• chore(deps-dev): bump the mocha group with 1 update by @dependabot in #1035
• chore(deps-dev): bump the eslint group with 1 update by @dependabot in #1033
• feat: basic support CycloneDX v1.6 by @jkowalleck in #1041
• chore(deps-dev): bump typescript from 5.4.3 to 5.4.5 in the typescript group by @dependabot in #1040

Full Changelog: v6.4.2...v6.5.0

6.4.2

Build

• Use TypeScript v5.4.3 now, was v5.4.2 (via #1030)
• Use webpack v5.91.0 now, was v5.90.3 (via #1031)

---

What's Changed

• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1030
• chore(deps-dev): bump the webpack group with 1 update by @dependabot in #1031

Full Changelog: v6.4.1...v6.4.2

6.4.1

Documentation

• Rendered (API) docs are hosted on readthedocs (#1027 via #1028)

Build

• Use TypeScript v5.4.2 now, was v5.3.3 (via #1021)

---

What's Changed

• chore(deps-dev): bump the eslint group with 1 update by @dependabot in #1022
• Docs/render sphinx by @jkowalleck in #1028
• docs: move rendered docs by @jkowalleck in #1029
• chore(deps): bump softprops/action-gh-release from 1 to 2 by @dependabot in #1023
• chore(deps-dev): bump the typescript group with 1 update by @dependabot in #1021

Full Changelog: v6.4.0...v6.4.1