feat!: 5.0

.github/dependabot.yml

@@ -3,7 +3,9 @@
 version: 2
 updates:
   - package-ecosystem: 'npm'
-    directory: '/'
+    directories:
+      - '/.'
+      - '/tools/code-style'
     schedule:
       interval: 'weekly'
       day: 'saturday'
@@ -44,11 +46,13 @@ updates:
         patterns:
           - 'eslint'
           - '@eslint/*'
+          - '*-eslint'
           - 'eslint-*'
+          - '@types/eslint'
+          - '@types/eslint-*'
+          - '@types/*-eslint'
           - '@eslint-community/*'
           - '@typescript-eslint/*'
-          - '@types/eslint'
-          - '@types/eslint*'
       webpack:
         patterns:
           - 'webpack'

.github/workflows/nodejs.yml

@@ -20,7 +20,7 @@ concurrency:
 
 env:
   REPORTS_DIR: CI_reports
-  NODE_ACTIVE_LTS: "20" # https://nodejs.org/en/about/releases/
+  NODE_ACTIVE_LTS: "22" # https://nodejs.org/en/about/releases/
   TESTS_REPORTS_ARTIFACT: tests-reports
 
 jobs:
@@ -54,7 +54,7 @@ jobs:
   test-standard:
     name: test standard
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 10
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
@@ -67,9 +67,34 @@ jobs:
           # cache: "npm"
           # cache-dependency-path: "**/package-lock.json"
       - name: setup project
-        run: npm i --ignore-scripts
+        run: |
+          npm install --ignore-scripts --loglevel=silly
+      - name: setup tools
+        run: |
+          echo "::group::install code-style deps"
+          npm run -- dev-setup:code-style --ignore-scripts --loglevel=silly
+          echo "::endgroup::"
+      - name: make reports dir
+        run: mkdir -p "$REPORTS_DIR"
       - name: test
-        run: npm run test:standard
+        run: >
+          npm run -- test:standard
+          --format json
+          --output-file "$PWD/$REPORTS_DIR/eslint.json"
+      - name: Annotate Code
+        if: ${{ failure() || success() }}
+        # see https://github.com/DerLev/eslint-annotations
+        uses: DerLev/eslint-annotations@v2
+        with:
+          eslint-report: ${{ env.REPORTS_DIR }}/eslint.json
+      - name: artifact eslint result
+        # see https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        if: ${{ failure() }}
+        with:
+          name: ${{ env.STANDARD_REPORTS_ARTIFACT }}
+          path: ${{ env.REPORTS_DIR }}
+          if-no-files-found: error
 
   test-jest:
     needs: [ 'build' ]
@@ -83,12 +108,10 @@ jobs:
         node-version:
           # action based on https://github.com/actions/node-versions/releases
           # see also: https://nodejs.org/en/about/previous-releases
-          - "22.4"      # current -- pinned for https://github.com/npm/cli/issues/7666
-          - "20"      # active LTS
-          - "18"
-          - '16'
-          - "14"
-          - "14.0.0"  # lowest supported
+          - "23"      # current
+          - "22"      # active LTS
+          - "20"
+          - "20.18.0" # lowest supported
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
@@ -114,25 +137,7 @@ jobs:
         shell: bash
         run: |
           set -ex
-          dep_constraints=''
           dev_requirements='c8 jest jest-junit imurmurhash fast-glob'
-          # as long as npm cannot auto-resolve engine-constraints, we need to help here
-          case '${{ matrix.node-version }}' in
-            '14')
-              dep_constraints='normalize-package-data@^5'
-            ;;
-            '14.0.0')
-              dep_constraints='normalize-package-data@^3'
-              dev_requirements='c8@^8 jest@^26 jest-junit imurmurhash fast-glob'
-              # cannot run snapshot-compare with old versions ...
-              rm -rf tests/integration/__snapshots__/
-            ;;
-          esac
-          ## !! dont install all the dev-packages, especially since some are not runnable on node 14.0.0
-          if [[ -n "$dep_constraints" ]]
-          then
-            npm add --ignore-scripts --omit=peer --omit=dev --only=prod --production --loglevel=silly --save $dep_constraints
-          fi
           npm i --ignore-scripts --omit=peer --omit=dev --only=prod --production --loglevel=silly
           ## rebuild deps for which scripts were ignored, or partially installed - since "ignore-scripts" was used
           npm rebuild --loglevel=silly libxmljs2 || npm uninstall --no-save libxmljs2 || true

.github/workflows/release.yml

@@ -34,7 +34,7 @@ env:
   REPORTS_DIR: CI_reports
   PACKED_DIR: CI_packed
   PACKED_ARTIFACT: packed
-  NODE_ACTIVE_LTS: "20"
+  NODE_ACTIVE_LTS: "22"
 
 jobs:
   bump:

CONTRIBUTING.md

@@ -5,12 +5,12 @@ But please read the
 [CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md)
 first.
 
-## Setup
+## Set up the project
 
-To start developing simply run to install dev-dependencies and tools:
+Install dependencies:
 
 ```shell
-npm ci
+npm run dev-setup
 ```
 
 This will install process automatically build the project from source.

HISTORY.md

@@ -6,6 +6,20 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+* BREAKING Changes
+  * Dropped support for `node<20.18.0` ([#1362] via [#1365])
+* Documentation
+  * Fixed docs of default values (via [#1369]) 
+* Dependencies
+  * Upgraded runtime-dependency `@cyclonedx/cyclonedx-library@^8.0.0`, was `@^7.0.0` (via [#1367])
+  * Upgraded runtime-dependency `normalize-package-data@^7.0.0`, was `@^3||^4||^5||^6` (via [#1368])
+
+[#1362]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/1362
+[#1365]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1365
+[#1367]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1367
+[#1368]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1368
+[#1369]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1369
+
 ## 4.0.1 - 2025-01-29
 
 * Fixed

README.md

@@ -19,7 +19,7 @@ that are actually used (after [tree-shaking](https://webpack.js.org/guides/tree-
 
 ## Requirements
 
-* _Node.js_ `>= 14`
+* _Node.js_ `>= 20.18`
 * _webpack_ `^5`
 
 However, there are older versions of this plugin, that support

eslint.config.mjs

@@ -0,0 +1,106 @@
+/*!
+This file is part of CycloneDX Webpack plugin.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import { default as baseCfg, globals } from './tools/code-style/eslint.config.mjs'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+/* eslint-disable jsdoc/valid-types */
+
+/**
+ * @type {import('tools/code-style/node_modules/eslint').Linter.Config[]}
+ * @see https://eslint.org
+ */
+export default [
+  ...baseCfg,
+  {
+    name: 'project-specific',
+    rules: {
+      "complexity": ["error", { "max": 15 }]
+    }
+  },
+  {
+    name: 'project-specific',
+    files: ['src/*.ts'],
+    rules: {
+      '@typescript-eslint/no-unsafe-assignment': 'warn',
+      '@typescript-eslint/no-unsafe-member-access': 'warn',
+    }
+  },
+  {
+    files: ['**/*.js'],
+    languageOptions: { sourceType: 'commonjs' }
+  },
+  {
+    files: ['{src,tests}/**/*!(.{node,web}).{js,mjs,cjs.ts}'],
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+        ...globals.node
+      }
+    }
+  },
+  {
+    files: [
+      '**/*.{test,spec}.{js,mjs,cjs,ts}',
+      'tests/**.{js,mjs,cjs,ts}'
+    ],
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...globals.jest,
+      }
+    }
+  },
+  {
+    files: ['src/**/*.ts'],
+    languageOptions: {
+      parserOptions: {
+        project: path.join(__dirname, 'tsconfig.json'),
+      },
+    },
+  },
+  {
+    files: ['examples/**/*.{js,mjs,cjs,ts}'],
+    rules: {
+      'no-console': 'off'
+    },
+    languageOptions: {
+      globals: globals.browser
+    }
+  },
+  {
+    // global ignores must have nothing but a "ignores" property!
+    // see https://github.com/eslint/eslint/discussions/17429#discussioncomment-6579229
+    ignores: [
+      'reports/',
+      'dist/',
+      'docs/api/',
+      'docs/_build/',
+      'docs/.venv/',
+      'examples/**/dist/',
+      'tools/',
+      'tests/integration/'
+    ],
+  },
+]

examples/simple/src/index.js

@@ -17,7 +17,7 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-const { Tooltip, Toast, Popover } = require('bootstrap')
+const { Popover, Toast, Tooltip } = require('bootstrap')
 
 // no real world use, but showcase
 

examples/simple/webpack.config.js

@@ -17,10 +17,12 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-const path = require('path')
+const path = require('node:path')
 
 const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin')
 
+/* eslint-disable jsdoc/valid-types */
+
 /** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
 const cycloneDxWebpackPluginOptions = {
   specVersion: '1.6',