npm
[BUG] sbom cyclonedx files contain invalid serialNumber
Is there an existing issue for this?
- [x] I have searched the existing issues
This issue exists in the latest npm version
- [x] I am using the latest npm
Current Behavior
BOM files in cyclonedx format created by npm-sbom contain an invalid statically UUID value in the serialNumber field:
"serialNumber": "urn:uuid:***",
The problem is, that some tools checking the serialNumber with regular expressions (^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$)
With this tools a box file create by npm-sbom can't be used.
Expected Behavior
serialNumber field should contain a valid UUID value
Steps To Reproduce
- Create any BOM file with npm-sbom
- Look up serialNumber field value
Environment
- npm: 11.6.4
- Node.js: 24.11.0
- OS Name: Windows
The redaction bypass should be moved to the specific output.buffer call. See lib/commands/token.js for an example of where we do this when outputting the actual login token (a case where we very much want redaction bypassed).
Oh alright ! I just missed your message earlier. working on it.
Thank you, @wraithgar.
I have implemented the solution, using the same logic you suggested above. I've updated the implementation to use output.standard() with { [META]: true, redact: false } as demonstrated in token.js
output.standard(JSON.stringify(this.#response, null, 2),
{
[META]: true,
redact: false
})
Results:
All existing tests are passing. Should I add a specific test to explicitly verify the serialNumber is not redacted, or is the current test coverage sufficient? Pls let me know. I will open a PR in a few minutes.