verimu 0.0.9 → 0.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -6
- package/dist/{cli.mjs → cli.js} +1295 -65
- package/dist/cli.js.map +1 -0
- package/dist/index.cjs +1503 -182
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +415 -24
- package/dist/index.d.ts +415 -24
- package/dist/index.mjs +1495 -182
- package/dist/index.mjs.map +1 -1
- package/package.json +9 -3
- package/dist/cli.mjs.map +0 -1
package/README.md
CHANGED
|
@@ -11,19 +11,22 @@ The NPM package for `verimu`, a tool for producing CRA-compliant SBOMs via CI /
|
|
|
11
11
|
The core scanning pipeline is CI-agnostic — it works in any environment with Node.js 20+.
|
|
12
12
|
Example CI configs are provided in the `ci-examples/` directory.
|
|
13
13
|
|
|
14
|
-
- [x] GitHub Actions (`.github/workflows/
|
|
14
|
+
- [x] GitHub Actions (`.github/workflows/ci.yml`, `.github/workflows/publish-npm.yml`)
|
|
15
15
|
- [x] GitLab CI (`ci-examples/gitlab-ci.yml`)
|
|
16
16
|
- [x] Bitbucket Pipelines (`ci-examples/bitbucket-pipelines.yml`)
|
|
17
17
|
|
|
18
18
|
## Supported Package Ecosystems
|
|
19
19
|
|
|
20
20
|
- [x] npm (package-lock.json)
|
|
21
|
+
- [x] yarn (yarn.lock)
|
|
22
|
+
- [x] pnpm (pnpm-lock.yaml)
|
|
21
23
|
- [x] NuGet (packages.lock.json)
|
|
22
24
|
- [x] pip (requirements.txt, Pipfile.lock)
|
|
23
25
|
- [x] Cargo (Cargo.lock)
|
|
24
26
|
- [x] Maven (pom.xml + dependency-tree.txt or `mvn` on PATH)
|
|
25
27
|
- [x] Go (go.sum)
|
|
26
28
|
- [x] Ruby (Gemfile.lock)
|
|
29
|
+
- [x] Composer (composer.lock)
|
|
27
30
|
|
|
28
31
|
## Development
|
|
29
32
|
|
|
@@ -38,13 +41,13 @@ npm test
|
|
|
38
41
|
`verimu` can publish from GitHub Actions, GitLab CI, and Bitbucket Pipelines when a semver tag is pushed.
|
|
39
42
|
Each pipeline validates:
|
|
40
43
|
|
|
41
|
-
- tag is semver (
|
|
42
|
-
- tag version
|
|
44
|
+
- tag is semver (i.e. `1.2.3` without a `v` prefix)
|
|
45
|
+
- tag version must match `package.json` version
|
|
43
46
|
- tagged commit exists on `main`
|
|
44
47
|
|
|
45
48
|
### Publish credentials
|
|
46
49
|
|
|
47
|
-
- GitHub Actions (`.github/workflows/
|
|
50
|
+
- GitHub Actions (`.github/workflows/publish-npm.yml`): uses npm Trusted Publishing (OIDC), so NO `NPM_TOKEN` secret is required.
|
|
48
51
|
- GitLab and Bitbucket pipelines in this repo still use `NPM_TOKEN` (`.gitlab-ci.yml`, `bitbucket-pipelines.yml`).
|
|
49
52
|
|
|
50
53
|
### Recommended release flow
|
|
@@ -78,6 +81,6 @@ The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it u
|
|
|
78
81
|
|
|
79
82
|
## Three CI / CD Pipelines as Self Check on the `verimu` package itself
|
|
80
83
|
|
|
81
|
-
There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/
|
|
84
|
+
There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/ci.yml` file, all of which run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
|
|
82
85
|
|
|
83
|
-
|
|
86
|
+
Tag-based npm release automation in GitHub Actions is handled by `.github/workflows/publish-npm.yml`, so this repo remains a working cross-provider reference for both scanning and publishing.
|