Update packages

[prabhu]

Current list looks like this.

┌─────────────────┬─────────────┬────────┐
│ Package         │ Current     │ Latest │
├─────────────────┼─────────────┼────────┤
│ @babel/parser   │ 7.24.8      │ 7.25.3 │
├─────────────────┼─────────────┼────────┤
│ @babel/traverse │ 7.24.8      │ 7.25.3 │
├─────────────────┼─────────────┼────────┤
│ ajv             │ 8.16.0      │ 8.17.1 │
├─────────────────┼─────────────┼────────┤
│ packageurl-js   │ 1.0.2       │ 1.2.1  │
├─────────────────┼─────────────┼────────┤
│ tar             │ 6.2.1       │ 7.4.3  │
├─────────────────┼─────────────┼────────┤
│ cheerio         │ 1.0.0-rc.12 │ 1.0.0  │
└─────────────────┴─────────────┴────────┘

The issue is the need for testing after updating. For example, to update babel we need a sample list of javascript and typescript repos and run cdxgen with --profile research, then compare the occurrence and callstack evidence. May be there is an opportunity to enhance the custom-json-diff tool to handle evidence attributes?

For tar, we need to test with a range of oci images (both container and tar versions). Note that v7 is so different (and buggy) that even the maintainer hasn't made them the default yet.

packageurl-js had a number of breaking changes and was failing for container images when I tried it the last time.

Not sure about ajv and cheerio.

[prabhu]

pnpm outdated
┌───────────────┬─────────┬────────┐
│ Package       │ Current │ Latest │
├───────────────┼─────────┼────────┤
│ packageurl-js │ 1.0.2   │ 2.0.0  │
├───────────────┼─────────┼────────┤
│ tar           │ 6.2.1   │ 7.4.3  │
└───────────────┴─────────┴────────┘

[prabhu]

Only packageurl-js is left.

[gliptak]

https://github.com/CycloneDX/cdxgen/issues/1887

[prabhu]

packageurl-js and yargs can't be upgraded yet.

[setchy]

Closing as we can now track this via the Dependency Dashboard