Closed ncucinotta-reply closed 1 week ago
This is an interesting bug. It appears like these old versions do not use a lock file, so they are not reproducible.
https://www.npmjs.com/package/@cyclonedx/cdxgen/v/8.6.0?activeTab=code
In general, we can only support the current major version. You can try using our container image which is immutable.
I have pushed 8.6.3 with some fixes (and test failures). Hopefully it works. We seriously do not have the funding, bandwidth, time, etc to maintain v8, when the current version is v10 and v11 is due later this year.
Hey @prabhu ,
we're getting now
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE package: '@cyclonedx/cdxgen@8.6.3',
npm warn EBADENGINE required: { node: '>=12.0.0 <17.0.0' },
npm warn EBADENGINE current: { node: 'v18.20.4', npm: '10.7.0' }
npm warn EBADENGINE }
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
when installing cdxgen 8.6.3 :(
@heubeck can you not use v9 or above, since you have node 18? What exactly is the barrier to upgrade to v10?
ok, sorry, was confused by myself. we're using v10...
but when running npm install -g @cyclonedx/cdxgen
or npm install -g @cyclonedx/cdxgen@latest
it isn't actually latest:
Oh dear. Looks like npmjs is assuming the last release to be the latest. Can you explicitly specify the version number while I investigate this
We are using version 8.6.0 of cdxgen in our Jenkins pipelines for node projects, where the build environment is a Docker container with the required Node.js version
node:<project_version>
. Since yesterday (first known reported issue, might have started happening earlier in the month) we noticed this log in ournode:16.19.0
projects:which leads to a generation issue:
A previous pipeline run log from the 8th of August, 2024, does not report the EBADENGINE warnings when installing
@cyclonedx/cdxgen@8.6.0
, and the SBOM generation proceeds without issues.I have been able to reproduce the issue in a brand new docker container:
I would therefore like to know if there is any cdxgen version that currently supports Node 16 (and possibly Node 14), or any workaround to the reported issue in version 8.6.0. From the GitHub Page associated to this project, I could only see Node 20 referenced as a minimum runtime environment for your latest version, which we are currently unable to support in our legacy projects.
If necessary, we are able to upgrade/downgrade the cdxgen version. Thank you!