Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Executing npm sbom... takes the metadata.component.name from the current working directory
This leads to a false component name in certain CI/CD scenarios e.g. Azure DevOps where the source is checked out under the s directory, hence the component name is s.
This all happens even though the package.json exists and has the correct name, indeed running
returns the correct information.
Expected Behavior
npm sbom should use the package.json to infer the component name, not the current directory
Steps To Reproduce
Example
- Checkout source to directory
s i.e. the root is s
- Source contains package.json with the relevant correct information
- Install dependencies
- Run
npm sbom --sbom-format=cyclonedx --sbom-type=library --omit dev
...
"component": {
"bom-ref": "devopstest@1.0.61",
"type": "library",
"name": "s",
"version": "1.0.61",
"scope": "required",
"description": "Test repository for DevOps",
"purl": "pkg:npm/devopstest@1.0.1",
"properties": [],
...
Environment
- npm: 11.9.0
- Node.js: v24.14.0
- OS Name: MacOS
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Executing
npm sbom...takes the metadata.component.name from the current working directoryThis leads to a false component name in certain CI/CD scenarios e.g. Azure DevOps where the source is checked out under the
sdirectory, hence the component name iss.This all happens even though the package.json exists and has the correct name, indeed running
returns the correct information.
Expected Behavior
npm sbomshould use the package.json to infer the component name, not the current directorySteps To Reproduce
Example
si.e. the root issnpm sbom --sbom-format=cyclonedx --sbom-type=library --omit devEnvironment