5.0.0

BREAKING

• Interface Spec.Protocol now defines new mandatory methods (via #946)
  This is only a breaking change if you custom-implemented this interface downstream; internal usage is non-breaking.

Added

• New enum Enums.Lifecycle with corresponding values from CycloneDX Specification-1.5 (#937 via #946)
• New class Models.NamedLifecycle (#937 via #946)
• New class Models.LifecycleRepository (#937 via #946)
• Class Models.Metadata got a new property lifecycles (#937 via #946)
• Serializers and Metadata-Normalizers will take Models.Metadata.lifecycles into account (#937 via #946)

Build

• Use Webpack v5.88.2 now, was v5.88.1 (via #933)

---

Full Changelog: v4.0.0...v5.0.0

4.0.0

BREAKING

• Usage of this library in web browsers might no longer work out of the box (via #880)
  It might require a bundler/packer for web; see the examples/web/.
  This is only a breaking change if you used this library in a web browser.

Fixed

• Properly exclude external packages when preparing this library for web browsers (#883 via #880)

Examples

• Adjusted and extended examples for usage in web browsers (#883 via #880)
  Removed outdated examples/web/*, added examples/web/parcel & examples/web/webpack.
• Added examples for usage of CDX.Factories.PackageUrlFactory (via #882, #886)

Build

• Use TypeScript v5.1.6 now, was v5.1.5 (via #866)
• Use Webpack v5.88.1 now, was v5.88.0 (via #870)
• Apply wider rules for externals for in Webpack build (#883 via #880)

---

Full Changelog: v3.0.0...v4.0.0

3.0.0

Added support for CycloneDX Specification-1.5.
Added functionality regarding CycloneDX BOM-Link.

---

BREAKING

• Interface Spec.Protocol now defines new mandatory methods (via #843)
  This is only a breaking change if you custom-implemented this interface downstream; internal usage is non-breaking.

Changed

• Normalizers support CycloneDX Specification-1.5 (#505 via #843)
• Validators support CycloneDX Specification-1.5 (#505 via #843)
• Some models' properties were widened to support CycloneDX BOM-Link (via #856)

Added

• Existing Enums got new members and values for CycloneDX Specification-1.5 (#505 via #843)
• Namespace Spec was enhanced for CycloneDX Specification-1.5 (#505 via #843)
• Dedicated classes and types for CycloneDX BOM-Link (via #843, #856, #857)

API changes v3 - the details

see https://github.com/CycloneDX/cyclonedx-javascript-library/blob/v3.0.0/HISTORY.md#api-changes-v3---the-details

---

Full Changelog: v2.1.0...v3.0.0

2.1.0

Changed

• Classes Serialize.Xml.Normalize.Vulnerability*Normalizer are now public available (via #816)
  Previously, only instances were available via Serialize.Xml.Normalize.Factory.makeForVulnerability*().

Build

• Use TypeScript v5.1.3 now, was v5.0.4. (via #790)
• Use Webpack v5.86.0 now, was v5.82.1 (via #802)

---

Full Changelog: v2.0.0...v2.1.0

2.0.0

Improved license detection.
Finished Vulnerability capabilities.
Added ComponentEvidence capabilities.

---

BREAKING

• Method Factories.LicenseFactory.makeFromString() was changed in its behavior (#271, #530 via #547)
  It will try to create Models.SpdxLicense if value is eligible,
  else try to create Models.LicenseExpression if value is eligible,
  else fall back to Models.NamedLicense.
• revisited sort and compare:
  • Methods Models.*.compare() may return different numbers than before.
  • Methods Models.*.sorted() may return different orders than before.
• Removed deprecated symbols (#747 via #752)

Changed

• Removed beta state from symbols {Enums,Models}.Vulnerability.* (#164 via #722)
  The structures are defined as stable now.
• Some property/parameter types were widened, enabling the use of Buffer and other data-saving mechanisms (#406, #516 via #753)

Added

• New data models and serialization/normalization for Models.ComponentEvidence (#516 via #753)
• Serializers and Component-Normalizers will take Models.Component.evidence into account (#516 via #753)
• Serializers and Bom-Normalizers will take Models.Bom.vulnerabilities into account (#164 via #722)

Misc

• Internal rework, modernization, refactoring.

API changes v2 - the details

see https://github.com/CycloneDX/cyclonedx-javascript-library/blob/v2.0.0/HISTORY.md#api-changes-v2---the-details

---

Full Changelog: v1.14.0...v2.0.0

---

New Contributors

• @xmasoracle made their first contribution in #722

2.0.0-rc.0

Breaking Changes:

• Class Factories.LicenseFactory was modified
  • Function makeFromString() was changed in its behaviour (#271, #530 via #547)
    Will try to create Models.SpdxLicense if value is eligible,
    else try to create Models.LicenseExpression if value is eligible,
    else fall back to Models.NamedLicense.
  • Renamed function makeDisjunctiveWithId() -> makeSpdxLicense() (#530 via #547)
  • Renamed function makeDisjunctiveWithName() -> makeNamedLicense() (#530 via #547)
• Class Models.LicenseExpression was modified
  • Removed static function isEligibleExpression() (via #547)
    Use Spdx.isValidSpdxLicenseExpression() instead.
  • Constructor no longer throws, when value is not eligible (#530 via #547)
    You may utilize Factories.LicenseFactory to mimic the previous behaviour.
  • Property expression setter no longer throws, when value is not eligible (#530 via #547)
    You may utilize Factories.LicenseFactory to mimic the previous behaviour.
• Class Models.SpdxLicense was modified
  • Constructor no longer throws, when value is not eligible (#530 via #547)
  • Property id setter no longer throws, when value is not eligible (#530 via #547)
• Interface Spec.Protocol now defines a new mandatory property supportsComponentEvidence:boolean (via #753)
• Interface Spec.Protocol now defines a new mandatory property supportsVulnerabilities:boolean (via #722)
• Removed deprecated symbols (#747 via #752)
  • Namespace {Builders,Factories}.FromPackageJson -> use {Builders,Factories}.FromNodePackageJson instead
  • Class Models.HashRepository -> use Models.HashDictionary instead
  • Function Serialize.{Json,Xml}.Normalize.*.normalizeRepository() -> use Serialize.{Json,Xml}.Normalize.*.normalizeIterable() instead
  • Type alias Types.UrnUuid - use string instead
    Type predicate Types.isUrnUuid() no longer exists

Changed

• Removed beta state from symbols {Enums,Models}.Vulnerability.* (#164 via #722)
  The structures are defined as stable now.
• Class Models.Attachment was modified
  • Property content was widened to be any stringable, was string (#516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
• Class Models.Component was modified
  • Property copyright was widened to be any stringable, was string (#516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
• Class Models.Vulnerability.Credits was modified
  • Property organizations is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.
  • Property individuals is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.

Added

• Serializers and Bom-Normalizers will take Bom.vulnerabilities into account (#164 via #722)
• Serializers and Component-Normalizers will take Component.evidence into account (#516 via #753)
• Namespace Models was enhanced
  • Class Component was enhanced
    • New optional property evidence of type Models.ComponentEvidence (#516 via #753)
  • New Classes ComponentEvidence (#516 via #753)
  • NamespaceVulnerability was enhanced
    • Class Advisory was enhanced
      • New method compare() (via #722)
    • Class AdvisoryRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
    • Class Affect was enhanced
      • New method compare() (via #722)
    • Class AffectRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
    • Class AffectedSingleVersion was enhanced
      • New method compare() (via #722)
    • Class AffectedVersionRange was enhanced
      • New method compare() (via #722)
    • Class AffectedVersionRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
    • Class Rating was enhanced
      • New method compare() (via #722)
    • Class RatingRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
    • class Reference was enhanced
      • New method compare() (via #722)
    • Class ReferenceRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
    • class Source was enhanced
      • New method compare() (via #722)
    • class Vulnerability was enhanced
      • New method compare() (via #722)
    • Class VulnerabilityRepository was enhanced
      • New method sorted() (via #722)
      • New method compare() (via #722)
• Namespace Serialize.{Json,Xml}.Normalize was enhanced
  • Class Factory was enhanced
    • New Method makeForComponentEvidence() (#516 via #753)
    • New method makeForVulnerability() (#164 via #722)
    • New method makeForVulnerabilitySource() (#164 via #722)
    • New method makeForVulnerabilityReference() (#164 via #722)
    • New method makeForVulnerabilityRating (#164 via #722)
    • New method makeForVulnerabilityAdvisory (#164 via #722)
    • New method makeForVulnerabilityCredits (#164 via #722)
    • New method makeForVulnerabilityAffect (#164 via #722)
    • New method makeForVulnerabilityAffectedVersion (#164 via #722)
    • New method makeForVulnerabilityAnalysis (#164 via #722)
  • New class ComponentEvidenceNormalizer (#516 via #753)
  • Class OrganizationalEntityNormalizer was enhanced
    • New method normalizeIterable() (via #722)
  • New class VulnerabilityNormalizer (#164 via #722)
  • New class VulnerabilityAdvisoryNormalizer (#164 via #722)
  • New class VulnerabilityAffectNormalizer (#164 via #722)
  • New class VulnerabilityAffectedVersionNormalizer (#164 via #722)
  • New class VulnerabilityAnalysisNormalizer (#164 via #722)
  • New class VulnerabilityCreditsNormalizer (#164 via #722)
  • New class VulnerabilityRatingNormalizer (#164 via #722)
  • New class VulnerabilityReferenceNormalizer (#164 via #722)
  • New class VulnerabilitySourceNormalizer (#164 via #722)
• Namespace Spec
  • Const Spec1dot{2,3,4}
    • New Property supportsComponentEvidence:boolean (via #753)
    • New Property supportsVulnerabilities:boolean (via #722)
• Namespace Spdx
  • New function isValidSpdxLicenseExpression() (#271 via #547)

Misc

• New dependency spdx-expression-parse (via #547)

---

Full Changelog: v1.14.0...v2.0.0-rc.0

1.14.0

Added

• Formal validators for JSON string and XML string (#620 via #652, #691)
  Currently, available only for Node.js. Requires optional dependencies.
  • Related new validator classes:
    • Validation.JsonValidator
    • Validation.JsonStrictValidator
    • Validation.XmlValidator
  • Related new error classes:
    • Validation.NotImplementedError
    • Validation.MissingOptionalDependencyError

Build

• Use TypeScript v5.0.4 now, was v4.9.5. (#549 via #644)
• Use Webpack v5.80.0 now, was 5.79.0. (via #686)

---

Full Changelog: v1.13.3...v1.14.0

1.14.0-rc.3

v1.14.0-rc.3

prerelease 1.14.0-rc.3

1.14.0-rc.2

v1.14.0-rc.2

1.14.0-rc.2

1.14.0-rc.1

v1.14.0-rc.1

1.14.0-rc.1