@cyclonedx/cyclonedx-library 9.2.0 → 9.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "9.2.0",
+  "version": "9.4.0",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [
@@ -121,12 +121,12 @@
     "deepmerge": "^4.2.2",
     "fast-glob": "^3.3.1",
     "memfs": "^4.46.1",
-    "mocha": "11.7.4",
+    "mocha": "11.7.5",
     "npm-run-all2": "^8",
     "rimraf": "^6",
     "ts-loader": "9.5.4",
     "typescript": "5.9.3",
-    "webpack": "5.102.1",
+    "webpack": "5.103.0",
     "webpack-cli": "6.0.1",
     "webpack-node-externals": "3.0.0"
   },
@@ -182,6 +182,26 @@
     "./Validation": {
       "types": "./dist.d/validation/index.node.d.ts",
       "default": "./dist.node/validation/index.node.js"
+    },
+    "./Contrib": {
+      "types": "./dist.d/contrib/index.node.d.ts",
+      "default": "./dist.node/contrib/index.node.js"
+    },
+    "./Contrib/Bom": {
+      "types": "./dist.d/contrib/bom/index.d.ts",
+      "default": "./dist.node/contrib/bom/index.js"
+    },
+    "./Contrib/FromNodePackageJson": {
+      "types": "./dist.d/contrib/fromNodePackageJson/index.node.d.ts",
+      "default": "./dist.node/contrib/fromNodePackageJson/index.node.js"
+    },
+    "./Contrib/License": {
+      "types": "./dist.d/contrib/license/index.node.d.ts",
+      "default": "./dist.node/contrib/license/index.node.js"
+    },
+    "./Contrib/PackageUrl": {
+      "types": "./dist.d/contrib/packageUrl/index.d.ts",
+      "default": "./dist.node/contrib/packageUrl/index.js"
     }
   },
   "directories": {

package/res/schema/README.md

@@ -21,12 +21,13 @@ Currently using version
 | [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
 | [`bom-1.5.SNAPSHOT.schema.json`](bom-1.5.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
 | [`bom-1.6.SNAPSHOT.schema.json`](bom-1.6.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
-| [`bom-1.7.SNAPSHOT.schema.json`](bom-1.7.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
+| [`bom-1.7.SNAPSHOT.schema.json`](bom-1.7.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6,7 |
 | [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
 | [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 |
 | [`spdx.SNAPSHOT.xsd`](spdx.SNAPSHOT.xsd) | |
 | [`spdx.SNAPSHOT.schema.json`](spdx.SNAPSHOT.schema.json) | |
 | [`jsf-0.82.SNAPSHOT.schema.json`](jsf-0.82.SNAPSHOT.schema.json) | |
+| [`cryptography-defs.SNAPSHOT.schema.json`](cryptography-defs.SNAPSHOT.schema.json) | |
 
 changes: 
 1. `https?://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd`
@@ -35,3 +36,4 @@ changes:
 4. `properties.$schema.enum` was fixed to match `$id`
 5. `required.version` removed, as it is actually optional with default value
 6. `"format": "string"` removed, as it is unknown to JSON spec
+7. `cryptography-defs.schema.json` was replaced with `cryptography-defs.SNAPSHOT.schema.json`

package/src/builders/index.node.ts

@@ -17,4 +17,18 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-export * as FromNodePackageJson from './fromNodePackageJson.node'
+import * as _FromNodePackageJson from '../contrib/fromNodePackageJson/builders'
+
+
+// region deprecated re-exports
+
+/**
+ * Deprecated — Alias of {@link Contrib.FromNodePackageJson.Builders}.
+ *
+ * @deprecated This re-export location is deprecated.
+ * Import `Contrib.FromNodePackageJson.Builders` instead.
+ * The exported symbol itself is NOT deprecated - only this import path.
+ */
+export const FromNodePackageJson = _FromNodePackageJson
+
+// endregion deprecated re-exports

package/src/contrib/README.md

@@ -0,0 +1,20 @@
+# CycloneDX Contrib Extensions
+
+This directory contains community-contributed functionality that extends the capabilities of the CycloneDX core library.  
+Unlike the modules in `../`, these features are not part of the official CycloneDX specification and may vary in stability, scope, or compatibility.
+
+## Contents
+- Utilities, helpers, and experimental features developed by the community
+- Optional add-ons that may facilitate or enhance use of the CycloneDX core library
+- Code that evolves independently of the CycloneDX specification
+
+## Notes
+- Contrib modules are optional and not required for strict compliance with the CycloneDX standard.
+- They may change more frequently than the core and are not guaranteed to follow the same versioning rules.
+- Users should evaluate these modules carefully and consult documentation or source comments for details.
+
+## Contributing
+Contributions are welcome. To add an extension:
+1. Follow the contribution guidelines in the main repository.
+2. Place your code in a clearly named subfolder or file under `contrib/`.
+3. Provide documentation and tests to ensure clarity and maintainability.  

package/src/contrib/bom/index.ts

@@ -0,0 +1,20 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * as Utils from './utils'

package/src/contrib/fromNodePackageJson/_helpers/README.md

@@ -0,0 +1,6 @@
+# Helpers
+
+These are _internal_ helpers, that are not intended to be exported/published.
+
+The helpers SHALL **NOT** be marked as `@internal`, so that TypeScript might pick up on them and still render definitions for them.  
+The internal defined interfaces, classes, functions are required for proper type checking downstream, but SHOULD NOT be utilized/called downstream.

package/src/{builders/fromNodePackageJson.node.ts → contrib/fromNodePackageJson/builders.ts}

@@ -26,26 +26,27 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
  * Normalization should be done downstream, for example via [`normalize-package-data`](https://www.npmjs.com/package/normalize-package-data).
  */
 
-import { splitNameGroup } from '../_helpers/packageJson'
-import { ComponentType } from '../enums/componentType'
-import type * as Factories from '../factories/index.node'
-import { Component } from '../models/component'
-import { ExternalReferenceRepository } from '../models/externalReference'
-import { LicenseRepository } from '../models/license'
-import { Tool } from '../models/tool'
-import type { NodePackageJson } from '../types/nodePackageJson'
+import { ComponentType } from '../../enums/componentType'
+import { Component } from '../../models/component'
+import { ExternalReferenceRepository } from '../../models/externalReference'
+import { LicenseRepository } from '../../models/license'
+import { Tool } from '../../models/tool'
+import type { LicenseFactory } from '../license/factories'
+import { splitNameGroup } from './_helpers/packageJson'
+import type { ExternalReferenceFactory } from './factories'
+import type { NodePackageJson } from './types'
 
 /**
  * Node-specific ToolBuilder.
  */
 export class ToolBuilder {
-  readonly #extRefFactory: Factories.FromNodePackageJson.ExternalReferenceFactory
+  readonly #extRefFactory: ExternalReferenceFactory
 
   constructor (extRefFactory: ToolBuilder['extRefFactory']) {
     this.#extRefFactory = extRefFactory
   }
 
-  get extRefFactory (): Factories.FromNodePackageJson.ExternalReferenceFactory {
+  get extRefFactory (): ExternalReferenceFactory {
     return this.#extRefFactory
   }
 
@@ -71,8 +72,8 @@ export class ToolBuilder {
  * Node-specific ComponentBuilder.
  */
 export class ComponentBuilder {
-  readonly #extRefFactory: Factories.FromNodePackageJson.ExternalReferenceFactory
-  readonly #licenseFactory: Factories.LicenseFactory
+  readonly #extRefFactory: ExternalReferenceFactory
+  readonly #licenseFactory: LicenseFactory
 
   constructor (
     extRefFactory: ComponentBuilder['extRefFactory'],
@@ -82,11 +83,11 @@ export class ComponentBuilder {
     this.#licenseFactory = licenseFactory
   }
 
-  get extRefFactory (): Factories.FromNodePackageJson.ExternalReferenceFactory {
+  get extRefFactory (): ExternalReferenceFactory {
     return this.#extRefFactory
   }
 
-  get licenseFactory (): Factories.LicenseFactory {
+  get licenseFactory (): LicenseFactory {
     return this.#licenseFactory
   }
 
@@ -104,8 +105,8 @@ export class ComponentBuilder {
     const author = typeof data.author === 'string'
       ? data.author
       : (typeof data.author?.name === 'string'
-          ? data.author.name
-          : undefined)
+        ? data.author.name
+        : undefined)
 
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#description-1 */
     const description = typeof data.description === 'string'

package/src/{factories/fromNodePackageJson.node.ts → contrib/fromNodePackageJson/factories.ts}

@@ -29,16 +29,16 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import type { PackageURL } from 'packageurl-js'
 import { PurlQualifierNames } from 'packageurl-js'
 
-import { tryCanonicalizeGitUrl } from "../_helpers/gitUrl"
-import { isNotUndefined } from '../_helpers/notUndefined'
-import { ExternalReferenceType } from '../enums/externalReferenceType'
-import { HashAlgorithm } from "../enums/hashAlogorithm";
-import type { Component } from '../models/component'
-import { ExternalReference } from '../models/externalReference'
-import { HashDictionary } from '../models/hash'
-import type { NodePackageJson } from '../types/nodePackageJson'
-import { defaultRegistryMatcher, parsePackageIntegrity } from '../utils/npmjsUtility.node'
-import { PackageUrlFactory as PlainPackageUrlFactory } from './packageUrl'
+import { isNotUndefined } from '../../_helpers/notUndefined'
+import { ExternalReferenceType } from '../../enums/externalReferenceType'
+import { HashAlgorithm } from '../../enums/hashAlogorithm'
+import type { Component } from '../../models/component'
+import { ExternalReference } from '../../models/externalReference'
+import { HashDictionary } from '../../models/hash'
+import { PackageUrlFactory as PlainPackageUrlFactory } from '../packageUrl/factories'
+import { tryCanonicalizeGitUrl } from './_helpers/gitUrl'
+import type { NodePackageJson } from './types'
+import { defaultRegistryMatcher, parsePackageIntegrity } from './utils'
 
 /**
  * Node-specific ExternalReferenceFactory.
@@ -58,8 +58,8 @@ export class ExternalReferenceFactory {
   makeVcs (data: NodePackageJson): ExternalReference | undefined {
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#repositoryc */
     const repository = data.repository
-    let url = undefined
-    let comment: string | undefined = undefined
+    let url  // eslint-disable-line @typescript-eslint/init-declarations -- ack
+    let comment  // eslint-disable-line @typescript-eslint/init-declarations -- ack
     if (typeof repository === 'object') {
       url = tryCanonicalizeGitUrl(repository.url)
       comment = 'as detected from PackageJson property "repository.url"'
@@ -91,8 +91,8 @@ export class ExternalReferenceFactory {
   makeIssueTracker (data: NodePackageJson): ExternalReference | undefined {
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#bugs */
     const bugs = data.bugs
-    let url = undefined
-    let comment: string | undefined = undefined
+    let url  // eslint-disable-line @typescript-eslint/init-declarations -- ack
+    let comment  // eslint-disable-line @typescript-eslint/init-declarations -- ack
     if (typeof bugs === 'object') {
       url = bugs.url
       comment = 'as detected from PackageJson property "bugs.url"'
@@ -122,7 +122,7 @@ export class ExternalReferenceFactory {
         } catch { /* pass */ }
       }
       if (typeof shasum === 'string' && shasum.length === 40) {
-        hashes.set(HashAlgorithm["SHA-1"], shasum)
+        hashes.set(HashAlgorithm['SHA-1'], shasum)
         comment += ' and property "dist.shasum"'
       }
       return new ExternalReference(tarball, ExternalReferenceType.Distribution, { hashes, comment })

package/src/contrib/fromNodePackageJson/index.node.ts

@@ -0,0 +1,34 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Node-specifics.
+ *
+ * Intended to run on normalized data structures
+ * based on [PackageJson spec](https://github.com/SchemaStore/schemastore/blob/master/src/schemas/json/package.json)
+ * and explained by [PackageJson description](https://docs.npmjs.com/cli/v9/configuring-npm/package-json).
+ * Normalization should be done downstream, for example via [`normalize-package-data`](https://www.npmjs.com/package/normalize-package-data).
+ */
+
+export * as Builders from './builders'
+export * as Factories from './factories'
+export * as Types from './types'
+export * as Utils from './utils'
+
+// do not export the _helpers, they are for internal use only

package/src/{utils/npmjsUtility.node.ts → contrib/fromNodePackageJson/utils.ts}

@@ -17,7 +17,7 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import {HashAlgorithm} from '../enums/hashAlogorithm'
+import {HashAlgorithm} from '../../enums/hashAlogorithm'
 
 /**
  * See {@link https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages | package lock docs} for "integrity".

package/src/contrib/index.common.ts

@@ -0,0 +1,25 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Some features in this library are marked as contrib. These are community-provided extensions and are not part of the official standard. They are optional and may evolve independently from the core.
+ */
+
+export * as Bom from './bom'
+export * as PackageUrl from './packageUrl'

package/src/contrib/index.node.ts

@@ -0,0 +1,31 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Some features in this library are marked as contrib. These are community-provided extensions and are not part of the official standard. They are optional and may evolve independently from the core.
+ */
+
+export * from './index.common'
+
+// region node-specifics
+
+export * as FromNodePackageJson from './fromNodePackageJson/index.node'
+export * as License from './license/index.node'
+
+// endregion node-specifics

package/src/contrib/index.web.ts

@@ -0,0 +1,30 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Some features in this library are marked as contrib. These are community-provided extensions and are not part of the official standard. They are optional and may evolve independently from the core.
+ */
+
+export * from './index.common'
+
+// region web-specifics
+
+export * as License from './license/index.web'
+
+// endregion web-specifics

package/src/contrib/license/_helpers/README.md

@@ -0,0 +1,6 @@
+# Helpers
+
+These are _internal_ helpers, that are not intended to be exported/published.
+
+The helpers SHALL **NOT** be marked as `@internal`, so that TypeScript might pick up on them and still render definitions for them.  
+The internal defined interfaces, classes, functions are required for proper type checking downstream, but SHOULD NOT be utilized/called downstream.

package/src/{factories/license.ts → contrib/license/factories.ts}

@@ -17,9 +17,9 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { DisjunctiveLicense, License } from '../models/license'
-import { LicenseExpression, NamedLicense, SpdxLicense } from '../models/license'
-import { fixupSpdxId, isValidSpdxLicenseExpression } from '../spdx'
+import type { DisjunctiveLicense, License } from '../../models/license'
+import { LicenseExpression, NamedLicense, SpdxLicense } from '../../models/license'
+import { fixupSpdxId, isValidSpdxLicenseExpression } from '../../spdx'
 
 export class LicenseFactory {
   makeFromString (value: string): License {

package/src/contrib/license/index.common.ts

@@ -0,0 +1,22 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * as Factories from './factories'
+
+// do not export the _helpers, they are for internal use only

package/src/contrib/license/index.node.ts

@@ -0,0 +1,28 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * from './index.common'
+
+// region node-specifics
+
+export * as Utils from './utils.node'
+
+// endregion node-specifics
+
+// do not export the _helpers, they are for internal use only

package/src/contrib/license/index.web.ts

@@ -0,0 +1,28 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * from './index.common'
+
+// region web-specifics
+
+// nothing. yet ...
+
+// endregion web-specifics
+
+// do not export the _helpers, they are for internal use only

package/src/{utils/licenseUtility.node.ts → contrib/license/utils.node.ts}

@@ -26,9 +26,9 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import type { Stats } from 'node:fs'
 
-import { guessMimeTypeForLicenseFile } from '../_helpers/mime.node'
-import { AttachmentEncoding } from '../enums/attachmentEncoding'
-import { Attachment } from '../models/attachment'
+import { AttachmentEncoding } from '../../enums/attachmentEncoding'
+import { Attachment } from '../../models/attachment'
+import { guessMimeTypeForLicenseFile } from './_helpers/mime.node'
 
 export interface FsUtils<P extends string> {
   readdirSync: (path: P ) => P[]

package/src/{factories/packageUrl.ts → contrib/packageUrl/factories.ts}

@@ -19,8 +19,8 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import { PackageURL, PurlQualifierNames } from 'packageurl-js'
 
-import { ExternalReferenceType } from '../enums/externalReferenceType'
-import type { Component } from '../models/component'
+import { ExternalReferenceType } from '../../enums/externalReferenceType'
+import type { Component } from '../../models/component'
 
 export class PackageUrlFactory<PurlType extends PackageURL['type'] = PackageURL['type']> {
   readonly #type: PurlType

package/src/contrib/packageUrl/index.ts

@@ -0,0 +1,20 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * as Factories from './factories'

package/src/factories/index.common.ts

@@ -17,7 +17,28 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-// not everything is public, yet
+import {LicenseFactory as _LicenseFactory} from '../contrib/license/factories'
+import {PackageUrlFactory as _PackageUrlFactory} from '../contrib/packageUrl/factories'
 
-export * from './license'
-export * from './packageUrl'
+
+// region deprecated re-exports
+
+/**
+ * Deprecated — Alias of {@link Contrib.License.Factories.LicenseFactory}.
+ *
+ * @deprecated This re-export location is deprecated.
+ * Import `Contrib.License.Factories.LicenseFactory` instead.
+ * The exported symbol itself is NOT deprecated - only this import path.
+ */
+export const LicenseFactory = _LicenseFactory
+
+/**
+ * Deprecated — Alias of {@link Contrib.PackageUrl.Factories.PackageUrlFactory}.
+ *
+ * @deprecated This re-export location is deprecated.
+ * Import `Contrib.PackageUrl.Factories.PackageUrlFactory` instead.
+ * The exported symbol itself is NOT deprecated - only this import path.
+ */
+export const PackageUrlFactory = _PackageUrlFactory
+
+// endregion deprecated re-exports

package/src/factories/index.node.ts

@@ -17,10 +17,23 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
+import * as _FromNodePackageJson from '../contrib/fromNodePackageJson/factories'
+
 export * from './index.common'
 
 // region node-specifics
 
-export * as FromNodePackageJson from './fromNodePackageJson.node'
+// region deprecated re-exports
+
+/**
+ * Deprecated — Alias of {@link Contrib.FromNodePackageJson.Factories}.
+ *
+ * @deprecated This re-export location is deprecated.
+ * Import `Contrib.FromNodePackageJson.Factories` instead.
+ * The exported symbol itself is NOT deprecated - only this import path.
+ */
+export const FromNodePackageJson = _FromNodePackageJson
+
+// endregion deprecated re-exports
 
 // endregion node-specifics

package/src/index.common.ts

@@ -22,4 +22,5 @@ export * as Models from './models'
 export * as SPDX from './spdx'
 export * as Spec from './spec'
 export * as Types from './types'
+
 // do not export the _helpers, they are for internal use only

package/src/index.node.ts

@@ -25,9 +25,13 @@ export * from './index.common'
 
 // region node-specifics
 
+/** @deprecated next */
 export * as Builders from './builders/index.node'
+export * as Contrib from './contrib/index.node'
+/** @deprecated next */
 export * as Factories from './factories/index.node'
 export * as Serialize from './serialize/index.node'
+/** @deprecated next */
 export * as Utils from './utils/index.node'
 export * as Validation from './validation/index.node'
 
@@ -39,3 +43,6 @@ export * as Validation from './validation/index.node'
 export * as _Resources from './resources.node'
 
 // endregion node-specifics
+
+// do not export the _helpers, they are for internal use only
+