fix: detect version upgrades by purl and repair default CLI invocation#10
Open
dmchaledev wants to merge 1 commit into
Open
fix: detect version upgrades by purl and repair default CLI invocation#10dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Two correctness bugs broke the package's headline behavior:
- Upgrade detection: components were keyed by their full purl, which
embeds the version (e.g. "pkg:npm/lodash@4.17.21"). The same package at
two versions therefore never matched, so every version bump was reported
as a remove + add instead of an upgrade — making the advertised
"upgraded dependencies" output dead for any real SBOM (purls are
normally versioned). Components are now keyed by their version-stripped
purl (falling back to name), so upgrades are detected correctly,
including for scoped packages.
- CLI: the documented default command `sbom-diff old.json new.json`
crashed with "Unsupported format: old.json". When no --format flag was
present, the fallback `args[args.indexOf('--format') + 1]` resolved to
`args[0]` (the old path). Parsing now only reads the flag's value when
the flag is present, and an invalid --format produces a friendly error
instead of an unhandled throw.
Updated the diff test that previously enshrined the broken behavior, and
added coverage for purl-based and scoped-package upgrade detection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two correctness bugs broke the package's headline behavior. Both are small and self-contained.
1. Upgrade detection was effectively dead (the marquee feature)
The README promises the tool "Highlights added, removed, upgraded dependencies", but components were keyed by their full purl, which embeds the version (e.g.
pkg:npm/lodash@4.17.21). The same package at two versions therefore never matched, so every version bump was reported as a remove + add instead of an upgrade.Since real CycloneDX/SPDX SBOMs almost always carry versioned purls, the
upgraded/isMajorBumpoutput was dead for any realistic input — it only worked for components with no purl.Before (
old.json→new.json, lodash4.17.20→4.17.21):After:
Components are now keyed by their version-stripped purl (falling back to name), so upgrades are detected correctly, including for scoped packages (
pkg:npm/%40babel/core@…).2. The documented default CLI command crashed
The very first example in the README —
npx @hailbytes/sbom-diff old.json new.json— crashed:When no
--formatflag was present, the fallbackargs[args.indexOf('--format') + 1]resolved toargs[-1 + 1]=args[0](the old file path), which was then used as the report format. Parsing now only reads the flag's value when the flag is actually present, and an invalid--formatproduces a friendly error instead of an unhandled throw.Changes
src/diff.ts— key components by version-stripped purl via newcomponentKey/stripPurlVersionhelpers.src/cli.ts— only consume--format's value when the flag is present; validate the format and emit a clear error otherwise.src/__tests__/diff.test.ts— replaced the test that previously enshrined the broken add/remove behavior with one asserting real upgrade detection; added scoped-package coverage.Verification
npm test— 21 passednpm run buildandnpm run lint— clean--formatCLI invocations (see before/after above).Generated by Claude Code