fix: explicitely prevent self-references in dependency graph (#1472)

jkowalleck · web-flow · commit 8923e0cfbc0a · 2025-11-11T14:00:22.000+01:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
diff --git a/HISTORY.md b/HISTORY.md
@@ -6,6 +6,11 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+* Fixed
+  * Explicitly prevent self-reference dependency graph (via [#1472]) 
+
+[#1472]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1472
+
 ## 5.2.2 - 2025-11-11
 
 * Fixed
diff --git a/src/extractor.ts b/src/extractor.ts
@@ -129,7 +129,7 @@ export class Extractor {
     for (const [module, component] of modulesComponents) {
       for (const dependencyModule of module.dependencies.map(d => this.#compilation.moduleGraph.getModule(d)).filter(isNonNullable)) {
         const dependencyBomRef = modulesComponents.get(dependencyModule)?.bomRef
-        if (dependencyBomRef !== undefined) {
+        if (dependencyBomRef !== undefined && dependencyBomRef !== component.bomRef) {
           component.dependencies.add(dependencyBomRef)
         }
       }

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ export class Extractor {`
`129`	`129`	`for (const [module, component] of modulesComponents) {`
`130`	`130`	`for (const dependencyModule of module.dependencies.map(d => this.#compilation.moduleGraph.getModule(d)).filter(isNonNullable)) {`
`131`	`131`	`const dependencyBomRef = modulesComponents.get(dependencyModule)?.bomRef`
`132`		`- if (dependencyBomRef !== undefined) {`
	`132`	`+ if (dependencyBomRef !== undefined && dependencyBomRef !== component.bomRef) {`
`133`	`133`	`component.dependencies.add(dependencyBomRef)`
`134`	`134`	`}`
`135`	`135`	`}`