@trustify-da/trustify-da-javascript-client 0.3.0-ea.ff266a3 → 0.3.0-ea.ff694a0

package/dist/src/license/project_license.js

@@ -7,7 +7,7 @@ import path from 'node:path';
 import { selectTrustifyDABackend } from '../index.js';
 import { matchForLicense, availableProviders } from '../provider.js';
 import { addProxyAgent, getTokenHeaders } from '../tools.js';
-const LICENSE_FILES = ['LICENSE', 'LICENSE.md', 'LICENSE.txt'];
+import { normalizeSpdx, readLicenseFile } from './license_utils.js';
 /**
  * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
  * Uses local pattern matching for LICENSE file identification (synchronous).
@@ -19,7 +19,7 @@ export function getProjectLicense(manifestPath) {
     const resolved = path.resolve(manifestPath);
     const provider = matchForLicense(resolved, availableProviders);
     const fromManifest = provider.readLicenseFromManifest(resolved);
-    const fromFile = readLicenseFromFile(resolved);
+    const fromFile = readLicenseFile(resolved);
     const mismatch = Boolean(fromManifest && fromFile && normalizeSpdx(fromManifest) !== normalizeSpdx(fromFile));
     return {
         fromManifest: fromManifest || null,
@@ -27,26 +27,7 @@ export function getProjectLicense(manifestPath) {
         mismatch
     };
 }
-/**
- * Find LICENSE file path in the same directory as the manifest.
- * @param {string} manifestPath
- * @returns {string|null} - path to LICENSE file or null if not found
- */
-export function findLicenseFilePath(manifestPath) {
-    const manifestDir = path.dirname(path.resolve(manifestPath));
-    for (const name of LICENSE_FILES) {
-        const filePath = path.join(manifestDir, name);
-        try {
-            if (fs.statSync(filePath).isFile()) {
-                return filePath;
-            }
-        }
-        catch {
-            // skip
-        }
-    }
-    return null;
-}
+export { findLicenseFilePath, readLicenseFile } from './license_utils.js';
 /**
  * Call backend /licenses/identify endpoint to identify license from file.
  * @param {string} licenseFilePath - path to LICENSE file
@@ -57,7 +38,7 @@ export async function identifyLicense(licenseFilePath, opts = {}) {
     try {
         const fileContent = fs.readFileSync(licenseFilePath);
         const backendUrl = selectTrustifyDABackend(opts);
-        const url = new URL(`${backendUrl}/licenses/identify`);
+        const url = new URL(`${backendUrl}/api/v5/licenses/identify`);
         const tokenHeaders = getTokenHeaders(opts);
         const fetchOptions = addProxyAgent({
             method: 'POST',
@@ -79,61 +60,3 @@ export async function identifyLicense(licenseFilePath, opts = {}) {
         return null; // Fallback to local detection on error
     }
 }
-/**
- * Find and read LICENSE or LICENSE.md; use local pattern matching for identification.
- * @param {string} manifestPath
- * @returns {string|null}
- */
-function readLicenseFromFile(manifestPath) {
-    const licenseFilePath = findLicenseFilePath(manifestPath);
-    if (!licenseFilePath) {
-        return null;
-    }
-    try {
-        const content = fs.readFileSync(licenseFilePath, 'utf-8');
-        return detectSpdxFromText(content) || content.split('\n')[0]?.trim() || null;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Very simple SPDX detection from common license text (first ~500 chars).
- * @param {string} text
- * @returns {string|null}
- */
-function detectSpdxFromText(text) {
-    const head = text.slice(0, 500);
-    if (/Apache License,?\s*Version 2\.0/i.test(head)) {
-        return 'Apache-2.0';
-    }
-    if (/MIT License/i.test(head) && /Permission is hereby granted/i.test(head)) {
-        return 'MIT';
-    }
-    if (/GNU GENERAL PUBLIC LICENSE\s+Version 2/i.test(head)) {
-        return 'GPL-2.0-only';
-    }
-    if (/GNU GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
-        return 'GPL-3.0-only';
-    }
-    if (/BSD 2-Clause/i.test(head)) {
-        return 'BSD-2-Clause';
-    }
-    if (/BSD 3-Clause/i.test(head)) {
-        return 'BSD-3-Clause';
-    }
-    return null;
-}
-/**
- * Normalize for comparison (lowercase, strip common suffixes).
- * @param {string} spdxOrName
- * @returns {string}
- */
-function normalizeSpdx(spdxOrName) {
-    const s = String(spdxOrName).trim().toLowerCase();
-    // e.g. "MIT" vs "MIT License"
-    if (s.endsWith(' license')) {
-        return s.slice(0, -8);
-    }
-    return s;
-}

package/dist/src/oci_image/utils.js

@@ -135,7 +135,7 @@ function execSyft(imageRef, opts = {}) {
 function getSyftEnvs(dockerPath, podmanPath) {
     let path = null;
     if (dockerPath && podmanPath) {
-        path = `${dockerPath}${File.pathSeparator}${podmanPath}`;
+        path = `${dockerPath}${delimiter}${podmanPath}`;
     }
     else if (dockerPath) {
         path = dockerPath;
@@ -276,7 +276,16 @@ function podmanGetVariant(opts = {}) {
  * @returns {string} - The information
  */
 function dockerPodmanInfo(dockerSupplier, podmanSupplier, opts = {}) {
-    return dockerSupplier(opts) || podmanSupplier(opts);
+    try {
+        const result = dockerSupplier(opts);
+        if (result) {
+            return result;
+        }
+    }
+    catch (_) {
+        // docker not available, fall through to podman
+    }
+    return podmanSupplier(opts);
 }
 /**
  * Gets the digests for an image

package/dist/src/provider.d.ts

@@ -13,12 +13,15 @@ export function matchForLicense(manifestPath: string, providers: [Provider]): Pr
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest: string, providers: [Provider]): Provider;
+export function match(manifest: string, providers: [Provider], opts?: {
+    TRUSTIFY_DA_WORKSPACE_DIR?: string;
+}): Provider;
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null, packageManagerName: function(): string}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -31,8 +34,9 @@ export type Provided = {
 };
 export type Provider = {
     isSupported: (arg0: string) => boolean;
-    validateLockFile: (arg0: string) => void;
+    validateLockFile: (arg0: string, arg1: any) => void;
     provideComponent: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     provideStack: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     readLicenseFromManifest: (arg0: string) => string | null;
+    packageManagerName: () => string;
 };

package/dist/src/provider.js

@@ -3,12 +3,17 @@ import golangGomodulesProvider from './providers/golang_gomodules.js';
 import Java_gradle_groovy from "./providers/java_gradle_groovy.js";
 import Java_gradle_kotlin from "./providers/java_gradle_kotlin.js";
 import Java_maven from "./providers/java_maven.js";
+import Javascript_bun from './providers/javascript_bun.js';
 import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
+import Python_poetry from './providers/python_poetry.js';
+import Python_uv from './providers/python_uv.js';
+import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null, packageManagerName: function(): string}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -17,11 +22,16 @@ export const availableProviders = [
     new Java_maven(),
     new Java_gradle_groovy(),
     new Java_gradle_kotlin(),
-    new Javascript_npm(),
+    new Javascript_bun(),
     new Javascript_pnpm(),
     new Javascript_yarn(),
+    new Javascript_npm(),
     golangGomodulesProvider,
-    pythonPipProvider
+    pythonPipProvider,
+    new Python_poetry(),
+    new Python_uv(),
+    new Python_pip_pyproject(),
+    rustCargoProvider
 ];
 /**
  * Match a provider by manifest type only (no lock file check). Used for license reading.
@@ -45,16 +55,17 @@ export function matchForLicense(manifestPath, providers) {
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest, providers) {
+export function match(manifest, providers, opts = {}) {
     const manifestPath = path.parse(manifest);
     const supported = providers.filter(prov => prov.isSupported(manifestPath.base));
     if (supported.length === 0) {
         throw new Error(`${manifestPath.base} is not supported`);
     }
-    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir));
+    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir, opts));
     if (!provider) {
         throw new Error(`${manifestPath.base} requires a lock file. Use your preferred package manager to generate the lock file.`);
     }

package/dist/src/providers/base_java.d.ts

@@ -20,6 +20,11 @@ export default class Base_Java {
     CONFLICT_REGEX: RegExp;
     globalBinary: string;
     localWrapper: string;
+    /**
+     * Returns the package manager name (e.g. mvn, gradle)
+     * @returns {string}
+     */
+    packageManagerName(): string;
     /**
      * Recursively populates the SBOM instance with the parsed graph
      * @param {string} src - Source dependency to start the calculations from
@@ -57,15 +62,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -26,6 +25,13 @@ export default class Base_Java {
         this.globalBinary = globalBinary;
         this.localWrapper = localWrapper;
     }
+    /**
+     * Returns the package manager name (e.g. mvn, gradle)
+     * @returns {string}
+     */
+    packageManagerName() {
+        return this.globalBinary;
+    }
     /**
      * Recursively populates the SBOM instance with the parsed graph
      * @param {string} src - Source dependency to start the calculations from
@@ -131,7 +137,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +162,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_javascript.d.ts

@@ -47,6 +47,11 @@ export default class Base_javascript {
    */
     protected _cmdName(): string;
     /**
+   * Returns the package manager name (e.g. npm, yarn, pnpm, bun)
+   * @returns {string} The package manager name
+   */
+    packageManagerName(): string;
+    /**
    * Returns the command arguments for listing dependencies
    * @returns {Array<string>} The command arguments
    * @abstract
@@ -67,11 +72,26 @@ export default class Base_javascript {
    */
     isSupported(manifestName: string): boolean;
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Walks up the directory tree from manifestDir looking for the lock file.
+   * Stops when the lock file is found, when a package.json with a "workspaces"
+   * field is encountered without a lock file (workspace root boundary), or
+   * when the filesystem root is reached.
+   *
+   * When TRUSTIFY_DA_WORKSPACE_DIR is set, checks only that directory (no walk-up).
+   *
+   * @param {string} manifestDir - The directory to start searching from
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
+   * @returns {string|null} The directory containing the lock file, or null
+   * @protected
+   */
+    protected _isWorkspaceRoot(dir: any): string | null;
+    _findLockFileDir(manifestDir: any, opts?: {}): string | null;
+    /**
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir: string): boolean;
+    validateLockFile(manifestDir: string, opts?: any): boolean;
     /**
    * Provides content and content type for stack analysis
    * @param {string} manifestPath - The manifest path or name
@@ -95,10 +115,11 @@ export default class Base_javascript {
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    protected _buildDependencyTree(includeTransitive: boolean): any;
+    protected _buildDependencyTree(includeTransitive: boolean, opts?: any): any;
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -120,6 +141,12 @@ export default class Base_javascript {
    */
     protected _version(): string;
     /**
+   * Creates or updates the lock file for the package manager
+   * @param {string} manifestDir - Directory containing the manifest file
+   * @protected
+   */
+    protected _createLockFile(manifestDir: string): void;
+    /**
    * Parses the dependency tree output
    * @param {string} output - The output to parse
    * @returns {string} The parsed output

package/dist/src/providers/base_javascript.js

@@ -1,8 +1,9 @@
 import fs from 'node:fs';
 import os from "node:os";
 import path from 'node:path';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
-import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
+import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from '../tools.js';
 import Manifest from './manifest.js';
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
@@ -70,6 +71,13 @@ export default class Base_javascript {
         throw new TypeError("_cmdName must be implemented");
     }
     /**
+   * Returns the package manager name (e.g. npm, yarn, pnpm, bun)
+   * @returns {string} The package manager name
+   */
+    packageManagerName() {
+        return this._cmdName();
+    }
+    /**
    * Returns the command arguments for listing dependencies
    * @returns {Array<string>} The command arguments
    * @abstract
@@ -96,13 +104,63 @@ export default class Base_javascript {
         return 'package.json' === manifestName;
     }
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Walks up the directory tree from manifestDir looking for the lock file.
+   * Stops when the lock file is found, when a package.json with a "workspaces"
+   * field is encountered without a lock file (workspace root boundary), or
+   * when the filesystem root is reached.
+   *
+   * When TRUSTIFY_DA_WORKSPACE_DIR is set, checks only that directory (no walk-up).
+   *
+   * @param {string} manifestDir - The directory to start searching from
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
+   * @returns {string|null} The directory containing the lock file, or null
+   * @protected
+   */
+    _isWorkspaceRoot(dir) {
+        if (fs.existsSync(path.join(dir, 'pnpm-workspace.yaml'))) {
+            return true;
+        }
+        const pkgJsonPath = path.join(dir, 'package.json');
+        if (fs.existsSync(pkgJsonPath)) {
+            try {
+                const content = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+                if (content.workspaces) {
+                    return true;
+                }
+            }
+            catch (_) {
+                // ignore parse errors
+            }
+        }
+        return false;
+    }
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir) {
-        const lock = path.join(manifestDir, this._lockFileName());
-        return fs.existsSync(lock);
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) !== null;
     }
     /**
    * Provides content and content type for stack analysis
@@ -138,33 +196,36 @@ export default class Base_javascript {
      * @returns {string|null}
      */
     readLicenseFromManifest(manifestPath) {
+        let manifestLicense;
         try {
             const content = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
             if (typeof content.license === 'string') {
-                return content.license.trim() || null;
+                manifestLicense = content.license.trim() || null;
             }
-            if (Array.isArray(content.licenses) && content.licenses.length > 0) {
+            else if (Array.isArray(content.licenses) && content.licenses.length > 0) {
                 const first = content.licenses[0];
                 const name = first.type || first.name;
-                return typeof name === 'string' ? name.trim() : null;
+                manifestLicense = (typeof name === 'string' ? name.trim() : null);
             }
-            return null;
         }
         catch {
-            return null;
+            manifestLicense = null;
         }
+        return getLicense(manifestLicense, manifestPath);
     }
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    _buildDependencyTree(includeTransitive) {
+    _buildDependencyTree(includeTransitive, opts = {}) {
         this._version();
-        let manifestDir = path.dirname(this.#manifest.manifestPath);
-        this.#createLockFile(manifestDir);
-        let output = this.#executeListCmd(includeTransitive, manifestDir);
+        const manifestDir = path.dirname(this.#manifest.manifestPath);
+        const cmdDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        this._createLockFile(cmdDir);
+        let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
         return JSON.parse(output);
     }
@@ -175,15 +236,38 @@ export default class Base_javascript {
    * @private
    */
     #getSBOM(opts = {}) {
-        const depsObject = this._buildDependencyTree(true);
+        const depsObject = this._buildDependencyTree(true, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
         const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
         sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
+    /**
+     * Ensures peer and optional dependencies declared in the manifest are
+     * present in the SBOM, even when the package manager does not resolve them
+     * (e.g. yarn does not include peer deps in its dependency listing).
+     * @param {Sbom} sbom - The SBOM to supplement
+     * @private
+     */
+    #ensurePeerAndOptionalDeps(sbom) {
+        const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const depSources = [this.#manifest.peerDependencies, this.#manifest.optionalDependencies];
+        for (const source of depSources) {
+            for (const [name, version] of Object.entries(source)) {
+                // Build the purl prefix for exact matching (e.g. "pkg:npm/minimist@"
+                // or "pkg:npm/%40hapi/joi@") to avoid substring false positives
+                const probe = toPurl(purlType, name, version);
+                const purlPrefix = probe.toString().replace(/@[^@]*$/, '@');
+                if (!sbom.checkDependsOnByPurlPrefix(rootPurl, purlPrefix)) {
+                    sbom.addDependency(rootPurl, probe);
+                }
+            }
+        }
+    }
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -191,7 +275,10 @@ export default class Base_javascript {
    * @protected
    */
     _addDependenciesToSbom(sbom, depTree) {
-        const dependencies = depTree["dependencies"] || {};
+        const dependencies = {
+            ...depTree["dependencies"],
+            ...depTree["optionalDependencies"],
+        };
         Object.entries(dependencies)
             .forEach(entry => {
             const [name, artifact] = entry;
@@ -227,7 +314,7 @@ export default class Base_javascript {
    * @private
    */
     #getDirectDependencySbom(opts = {}) {
-        const depTree = this._buildDependencyTree(false);
+        const depTree = this._buildDependencyTree(false, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
         const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
@@ -241,6 +328,7 @@ export default class Base_javascript {
             const rootPurl = toPurlFromString(sbom.getRoot().purl);
             sbom.addDependency(rootPurl, rootDeps.get(key));
         }
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
@@ -251,10 +339,14 @@ export default class Base_javascript {
    * @protected
    */
     _getRootDependencies(depTree) {
-        if (!depTree.dependencies) {
+        const allDeps = {
+            ...depTree.dependencies,
+            ...depTree.optionalDependencies,
+        };
+        if (Object.keys(allDeps).length === 0) {
             return new Map();
         }
-        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+        return new Map(Object.entries(allDeps).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
     }
     /**
    * Executes the list command to get dependencies
@@ -265,7 +357,7 @@ export default class Base_javascript {
    */
     #executeListCmd(includeTransitive, manifestDir) {
         const listArgs = this._listCmdArgs(includeTransitive, manifestDir);
-        return this.#invokeCommand(listArgs);
+        return this.#invokeCommand(listArgs, { cwd: manifestDir });
     }
     /**
    * Gets the version of the package manager
@@ -278,19 +370,17 @@ export default class Base_javascript {
     /**
    * Creates or updates the lock file for the package manager
    * @param {string} manifestDir - Directory containing the manifest file
-   * @private
+   * @protected
    */
-    #createLockFile(manifestDir) {
+    _createLockFile(manifestDir) {
         const originalDir = process.cwd();
         const isWindows = os.platform() === 'win32';
         if (isWindows) {
-            // On Windows, --prefix flag doesn't work as expected
-            // Instead of installing from the prefix folder, it installs from current working directory
             process.chdir(manifestDir);
         }
         try {
             const args = this._updateLockFileCmdArgs(manifestDir);
-            this.#invokeCommand(args);
+            this.#invokeCommand(args, { cwd: manifestDir });
         }
         finally {
             if (isWindows) {