Skip to content

fix: correct upgrade detection and CLI default format#8

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-AhDtF
Open

fix: correct upgrade detection and CLI default format#8
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-AhDtF

Conversation

@dmchaledev
Copy link
Copy Markdown
Contributor

@dmchaledev dmchaledev commented Jun 4, 2026

Summary

Two correctness bugs broke the tool's documented usage. Both fixes are small and self-contained.

1. Upgrade detection was broken for versioned purls (the headline feature)

diff() keyed components by their full purl, but purls embed the version (e.g. pkg:npm/lodash@4.17.21). When a package was upgraded, its purl changed, so it was keyed differently in each SBOM and reported as a separate add + remove rather than an upgrade. Since real-world CycloneDX/SPDX SBOMs almost always emit versioned purls, the package's headline feature ("Highlights … upgraded dependencies") effectively never worked outside the name-only fallback path.

Before (old.json lodash 4.17.20 → new.json lodash 4.17.21):

Summary:
  Added:       1
  Removed:     1
  Upgraded:    0

After:

Summary:
  Added:       0
  Removed:     0
  Upgraded:    1

↑ Upgraded Components:
  ~ lodash: 4.17.20 → 4.17.21

Fix: match components by a version-agnostic purl key (strip everything from the first literal @ onward). Scoped npm packages encode their namespace @ as %40, so the first literal @ is always the version delimiter — pkg:npm/%40babel/core@7.x is handled correctly.

2. CLI crashed when run without --format

sbom-diff old.json new.json — the primary example in the README — threw Error: Unsupported format: old.json. With no --format flag, args.indexOf('--format') returns -1, so args[-1 + 1] read the first filename as the format. Invalid --format values also dumped a stack trace.

Fix: only read the next arg when --format is actually present, and validate the value, printing a clear error (Unknown format: yaml. Use one of: text, json, markdown) instead of throwing.

Tests

  • Replaced the misleading diff test that asserted the buggy add/remove behavior with one that asserts correct upgrade detection across versioned purls.
  • Added coverage for scoped npm packages (%40).
  • Full suite passes (21 tests), lint clean, build clean.

https://claude.ai/code/session_013dtMxjdzfj1UumYEKLUo4u

Generated by Claude Code

@claude
fix: correct upgrade detection and CLI default format
cc37b89 
Two correctness bugs broke the documented usage:

- diff() keyed components by the full purl, but purls embed the version
  (e.g. pkg:npm/lodash@4.17.21). A version change produced a different
  key, so upgrades were reported as a separate add + remove instead of an
  upgrade — defeating the package's headline feature for any SBOM with
  versioned purls (the real-world norm). Now matched by a version-agnostic
  purl key; scoped npm packages (%40) are handled correctly.

- The CLI crashed when run without --format. args.indexOf('--format')
  returned -1, so args[-1+1] used the first filename as the format and
  threw "Unsupported format". sbom-diff old.json new.json (the README's
  primary example) now works, and invalid --format values give a clear
  error.

Updated the misleading diff test that asserted the buggy behavior and
added coverage for versioned-purl and scoped-package upgrades.
@dmchaledev dmchaledev mentioned this pull request Jun 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmchaledev @claude