Description
Is your feature request related to a problem? Please describe.
some package.json do include a "dist" entry... might come when packages are bundled dependencies, and then the package manifests are enriched by packaging tools and get a "dist" entry to reflect which version was bundled.
this "dist" information shall be added to the SBOM results
example result from package.json:
// ...
"dist": {
"shasum": "a63b0eec4625a2902534898a5f9eec8aaed046e9",
"tarball": "http://registry.npmjs.org/find-up/-/find-up-1.1.0.tgz"
},
// ...Describe the solution you'd like
find the mentioned field and add the dist-url and the hashes to the SBOM
Describe alternatives you've considered
/
Additional context
an example: https://www.npmjs.com/package/bundle-dependencies/v/1.0.2
./node_modules/yargs/package.json is
{
"_args": [
[
"yargs@^4.1.0",
"/Users/gajus/Documents/dev/gajus/bundle-dependencies"
]
],
"_from": "yargs@>=4.1.0 <5.0.0",
"_id": "[email protected]",
"_inCache": true,
"_installable": true,
"_location": "/yargs",
"_nodeVersion": "3.2.0",
"_npmOperationalInternal": {
"host": "packages-5-east.internal.npmjs.com",
"tmp": "tmp/yargs-4.1.0.tgz_1455554454146_0.05233815615065396"
},
"_npmUser": {
"email": "[email protected]",
"name": "bcoe"
},
"_npmVersion": "3.3.0",
"_phantomChildren": {},
"_requested": {
"name": "yargs",
"raw": "yargs@^4.1.0",
"rawSpec": "^4.1.0",
"scope": null,
"spec": ">=4.1.0 <5.0.0",
"type": "range"
},
"_requiredBy": [
"/"
],
"_resolved": "https://registry.npmjs.org/yargs/-/yargs-4.1.0.tgz",
"_shasum": "035e5ea466ac7fea584b00353e33eae4082b9894",
"_shrinkwrap": null,
"_spec": "yargs@^4.1.0",
"_where": "/Users/gajus/Documents/dev/gajus/bundle-dependencies",
"bugs": {
"url": "https://github.com/bcoe/yargs/issues"
},
"dependencies": {
"camelcase": "^2.0.1",
"cliui": "^3.0.3",
"decamelize": "^1.1.1",
"os-locale": "^1.4.0",
"pkg-conf": "^1.1.1",
"read-pkg-up": "^1.0.1",
"require-main-filename": "^1.0.0",
"string-width": "^1.0.1",
"window-size": "^0.2.0",
"y18n": "^3.2.0",
"yargs-parser": "^2.1.0"
},
"description": "Light-weight option parsing with an argv hash. No optstrings attached.",
"devDependencies": {
"chai": "^3.4.1",
"chalk": "^1.1.1",
"coveralls": "^2.11.4",
"cpr": "^1.0.0",
"es6-promise": "^3.0.2",
"hashish": "0.0.4",
"mocha": "^2.4.5",
"nyc": "^5.2.0",
"rimraf": "^2.5.0",
"standard": "^6.0.5",
"which": "^1.1.2",
"win-spawn": "^2.0.0"
},
"directories": {},
"dist": {
"shasum": "035e5ea466ac7fea584b00353e33eae4082b9894",
"tarball": "http://registry.npmjs.org/yargs/-/yargs-4.1.0.tgz"
},
"engine": {
"node": ">=0.10"
},
"files": [
"index.js",
"lib",
"locales",
"completion.sh.hbs",
"LICENSE"
],
"gitHead": "3808fabcd36645a1c855385e62c31fd5917ee447",
"homepage": "http://yargs.js.org/",
"keywords": [
"argument",
"args",
"option",
"parser",
"parsing",
"cli",
"command"
],
"license": "MIT",
"main": "./index.js",
"maintainers": [
{
"email": "[email protected]",
"name": "bcoe"
},
{
"email": "[email protected]",
"name": "chevex"
},
{
"email": "[email protected]",
"name": "nexdrew"
},
{
"email": "[email protected]",
"name": "nylen"
}
],
"name": "yargs",
"optionalDependencies": {},
"readme": "ERROR: No README data found!",
"repository": {
"type": "git",
"url": "git+ssh://[email protected]/bcoe/yargs.git"
},
"scripts": {
"coverage": "nyc report --reporter=text-lcov | coveralls",
"pretest": "standard",
"test": "nyc --cache mocha --require ./test/before.js --timeout=4000 --check-leaks"
},
"standard": {
"ignore": [
"**/example/**"
]
},
"version": "4.1.0"
}Contribution
- I am willing to provide an implementation
- I will wait until somebody else implements it