rules_js icon indicating copy to clipboard operation
rules_js copied to clipboard
verified publisher icon aspect-build

[FR]: Expose `PackageInfo` from imported rules

Open shs96c opened this issue 1 year ago • 2 comments

What is the current behavior?

The current rules do not expose a PackageInfo from targets generated from npm imports

Describe the feature

When constructing an SBOM, one of the key things we need is information about where dependencies come from, and the licenses that they contain. rules_license offers a PackageInfo which exposes this information (especially the purl) which allows one to generate this information. It would be helpful for rules_js to expose this.

shs96c avatar Jul 10 '24 10:07 shs96c

Note that I did an experiment for this at the PackagingCon hackathon last year: https://github.com/bazelbuild/examples/compare/main...sbom

alexeagle avatar Jul 11 '24 00:07 alexeagle

I don't see how that adds the PackageInfo to the packages imported from pnpm.

shs96c avatar Jul 11 '24 13:07 shs96c

rules_license appears to be dead on arrival, not adding a dependency on it. Let's hope supply-chain does better.

alexeagle avatar Apr 25 '25 20:04 alexeagle