Open shs96c opened 1 month ago
Note that I did an experiment for this at the PackagingCon hackathon last year: https://github.com/bazelbuild/examples/compare/main...sbom
I don't see how that adds the PackageInfo
to the packages imported from pnpm
.
What is the current behavior?
The current rules do not expose a
PackageInfo
from targets generated from npm importsDescribe the feature
When constructing an SBOM, one of the key things we need is information about where dependencies come from, and the licenses that they contain.
rules_license
offers a PackageInfo which exposes this information (especially thepurl
) which allows one to generate this information. It would be helpful forrules_js
to expose this.