pnpm sbom
添加于:v11.0.0
Generate a Software Bill of Materials (SBOM) for the project.
Supported formats:
- CycloneDX 1.7 (JSON)
- SPDX 2.3 (JSON)
使用方法
pnpm sbom --sbom-format cyclonedx
pnpm sbom --sbom-format spdx
pnpm sbom --sbom-format cyclonedx --lockfile-only
pnpm sbom --sbom-format spdx --prod
pnpm sbom --sbom-format cyclonedx --out sbom.cdx.json
pnpm sbom --sbom-format cyclonedx --split
pnpm sbom --sbom-format cyclonedx --exclude-peers
Inside a workspace, pnpm sbom supports filtering. When a single workspace package is selected, the root component in the SBOM uses that package's metadata.
CycloneDX output marks components reachable only through devDependencies with scope: "excluded" and the cdx:npm:package:development property. Runtime components, including installed optional dependencies, use the default required scope.
配置项
--sbom-format <cyclonedx|spdx>
SBOM 输出格式。 此选项为必填项。 Supported values: cyclonedx, spdx.
--sbom-type <library|application>
- 默认:library
根软件包的组件类型。
--sbom-spec-version <version>
添加于:v11.1.0
- 默认值:1.7
- 类型:1.5, 1.6, 1.7
要导出的 CycloneDX 规格版本。 仅在使用 --sbom-format cyclonedx 时有效。
--lockfile-only
仅使用锁文件数据(跳过从存储中读取)。
--sbom-authors <names>
逗号分隔的 SBOM 作者列表。 在 CycloneDX 输出中写入的 metadata.authors。
--sbom-supplier <name>
SBOM 供应商名称。 在 CycloneDX 输出中写入的 metadata.supplier。
--out <path>
Added in: v11.8.0
Write the SBOM to a file instead of stdout.
Use %s in the path as a placeholder for the package name and %v as a placeholder for the package version. In a workspace, a path containing %s writes one SBOM per selected package:
pnpm sbom --sbom-format cyclonedx --out out/%s.cdx.json
pnpm sbom --sbom-format cyclonedx --out out/%s-%v.cdx.json
--split
Added in: v11.8.0
Generate a separate SBOM for each selected workspace package. Without --out, the SBOMs are printed to stdout as NDJSON, one JSON document per line.
When --split is combined with --out, the output path must contain %s.
--exclude-peers
Added in: v11.9.0
Exclude peer dependencies from the SBOM. Dependencies reachable only through those peers are also excluded.
This is useful with auto-install-peers because peer dependencies are resolved into the lockfile and otherwise look the same as regular dependencies.
--prod, -P
仅包含 dependencies 和 optionalDependencies。
--dev, -D
仅包含 devDependencies。
--no-optional
不包含 optionalDependencies。