You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Do you know of a way that npm will return the repo in which the component was resolved from?
For example, an org has an internal Artifactory or Nexus repo they resolve all npm components from. CycloneDX would need to be able to identify the components that are accessible in the public npm repo (even if they also exist in a private repo) from the components that only reside in an alternate repo (artifactor/nexus or some other non-npm repo).
It would be great if packages that are installed from non-NPM origin had the information in their purl.
For example
Would create a component with purl
pkg:npm/cli@1.0.27?vcs_url=git+git+ssh://git@github.com:npm/cli.git#v1.0.27
Similarly
repository_url
could be added for packages installed from custom registries.The text was updated successfully, but these errors were encountered: