[Snyk] Upgrade @cyclonedx/cyclonedx-npm from 3.0.0 to 4.0.0

[lholmquist]

Snyk has created this PR to upgrade @cyclonedx/cyclonedx-npm from 3.0.0 to 4.0.0.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 3 versions ahead of your current version.

• The recommended version was released 24 days ago.

Release notes

Package name: @cyclonedx/cyclonedx-npm

• 4.0.0 - 2025-06-23

  BREAKING Changes

  • SBOM results might have slightly changed (via #1307)

  Fixed

  • External dependency edge-cases are now properly nested (via #1307)

  Changed

  • SBOM result's bom-ref is prefixed with parent-component's one to ensure uniqueness (via #1307)
  • Uses only trusted data from npm-ls internally (via #1307)
    No changes in data quality are expected.

  ---

  What's Changed

  • tests: fix flat prepared tests by @ jkowalleck in #1308
  • feat: prefer trusted data, fix external deps edge-cases by @ jkowalleck in #1307
  • chore(deps-dev): bump jest from 30.0.0 to 30.0.2 in the jest group by @ dependabot in #1309

  Full Changelog: v3.1.0...v4.0.0

• 3.1.0 - 2025-06-16

  Changed

  • Utilizes license file gatherer of @ cyclonedx/cyclonedx-library, previously used own implementation (via #1303)

  Runtime Dependencies

  • Raised @ cyclonedx/cyclonedx-library@^8.4.0, was @^8.0.0 (via #1301, #1303)
  • Raised commander@^14.0.0, was @^13.1.0 (via #1297)

  ---

  What's Changed

  • chore(deps-dev): bump npm-run-all2 from 7.0.2 to 8.0.1 by @ dependabot in #1294
  • chore: add workflow permissions by @ jkowalleck in #1298
  • chore(deps): bump commander from 13.1.0 to 14.0.0 by @ dependabot in #1297
  • ci: use node24 by @ jkowalleck in #1299
  • feat: gather more info for bundled dependencies by @ jkowalleck in #1301
  • feat: use CDX-library's license evidence gathering by @ jkowalleck in #1303
  • chore(deps-dev): bump jest from 29.7.0 to 30.0.0 in the jest group by @ dependabot in #1305

  Full Changelog: v3.0.0...v3.1.0

• 3.0.1-alpha.0 - 2025-05-26

  3.0.1-alpha.0

  Signed-off-by: jkowalleck <[email protected]>

• 3.0.0 - 2025-04-08

  BREAKING Changes

  • Dropped support for node<20.18.0 (#1192 via #1273)
  • Dropped support for npm<9 (#1274 via #1273, #1277)

  Added

  • CLI switch -o as shorthand for --output-file (#1282 via #1288)
  • CLI switch --of as shorthand for --outout-format (#1282 via #1288)
  • CLI switch --sv as shorthand for --spec-version (#1282 via #1288)

  Fixed

  • License gathering correctly ignores symlinks and directories (#1290 via #1291)

  Runtime Dependencies

  • Raised @ cyclonedx/cyclonedx-library@^8.0.0, was @^7.0.0 (via #1281)
  • Raised commander@^13.1.0, was @^10.0.0 (via #1281, #1288)
  • Raised normalize-package-data@^7.0.0, was @^3||^4||^5||^6 (via #1281)

  Build

  • Use TypeScript v5.8.3 now, was v5.7.3 (via #1267, #1289)

  ---

  What's Changed

  • remove node < 20.18 & remove npm < 8.7 by @ jkowalleck in #1273
  • feat!: drop support for npm<9 by @ jkowalleck in #1277
  • chore(deps): use npm-run-all2@^7 by @ jkowalleck in #1276
  • refactors by @ jkowalleck in #1278
  • chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 in the typescript group by @ dependabot in #1267
  • deps: bunp runtime 20250330 by @ jkowalleck in #1281
  • refactor: tune pipes by @ jkowalleck in #1280
  • chore: slight refactor and coverage with c8 by @ jkowalleck in #1285
  • chore: cs-fixer own tool by @ jkowalleck in #1284
  • feat: CLI shorthands by @ jkowalleck in #1288
  • fix: folder "LICENSES" causes crashes when gathering licenses by @ jkowalleck in #1291
  • chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 in the typescript group by @ dependabot in #1289

  Full Changelog: v2.1.0...v3.0.0

from @cyclonedx/cyclonedx-npm GitHub release notes

---

[!IMPORTANT]

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[lholmquist]

:tada: Snyk checks have passed. No issues have been found so far.

:white_check_mark: security/snyk check is complete. No issues have been found. (View Details)