The build-public command is meant to delete components marked as internal. It isn't documented what it does with non-internal components nested inside those internal components.
The tool should probably either:
Delete nested components and remove them from the dependency tree the same way as internal components.
This is likely the more logical choice, as users might expect components bundled inside internal components to also disappear from the SBOM.
Leave nested components in the SBOM and move them up to the parent scope.
Instead, here is what actually happens:
Delete any component marked as internal, including nested components.
Remove dependencies on the internal component.
Do not remove dependencies on the nested components, leaving dependencies to components behind, which aren't part of the SBOM anymore.
We should choose one of the options above, implement it and make it explicit in the documentation.
The build-public command is meant to delete components marked as internal. It isn't documented what it does with non-internal components nested inside those internal components.
The tool should probably either:
Instead, here is what actually happens:
We should choose one of the options above, implement it and make it explicit in the documentation.