[FR]: Expose `PackageInfo` from imported rules

aspect-build / rules_js

High-performance Bazel rules for running Node.js tools and building JavaScript projects

https://docs.aspect.build/rules/aspect_rules_js

Apache License 2.0

299 stars 102 forks source link

[FR]: Expose `PackageInfo` from imported rules #1842

Open shs96c opened 1 month ago

shs96c commented 1 month ago

What is the current behavior?

The current rules do not expose a PackageInfo from targets generated from npm imports

Describe the feature

When constructing an SBOM, one of the key things we need is information about where dependencies come from, and the licenses that they contain. rules_license offers a PackageInfo which exposes this information (especially the purl) which allows one to generate this information. It would be helpful for rules_js to expose this.

alexeagle commented 1 month ago

Note that I did an experiment for this at the PackagingCon hackathon last year: https://github.com/bazelbuild/examples/compare/main...sbom

shs96c commented 1 month ago

I don't see how that adds the PackageInfo to the packages imported from pnpm.