Closed SandZn closed 2 years ago
which OS did you use? which version of node did you use? which version of NPM did you use?
could you provide the npm lock file? Otherwise we dont have a reproducible setup, because the dependencies i would install could be different from the ones you installed. This is critical for reproduction.
Sure.
OS: MacOS 12.3.1 node: v16.14.0 npm: 8.5.5
package-lock.json: https://jsonblob.com/1033364954815938560
your lockfile states, that level-concat-iterator
is required by node_modules/abstract-leveldown
at around line 33.
and NPM knows that, too.
npm ls --omit dev --all --long
showed:
memdown@6.1.1
│
├─┬ abstract-leveldown@7.2.0
│ │
│ ├─┬ level-concat-iterator@3.1.0
│ │ │
│ │ └── catering@2.1.1 deduped
conclusion: actually the level-concat-iterator
seams to be a prod dependency of abstract-leveldown
.
So the SBOM result seams about right.
Please try this package memdown.
after I ran
cyclonedx-npm --omit dev --output-file newbom.json
, I got an extra devDependency(level-concat-iterator) that is mixed with the dependencies.