Skip to main content

Software Bill of Materials (SBOM)

A Software Bill of Materials is a machine-readable inventory of everything a package ships and depends on — every transitive dependency, its version, and its license. We publish one for each release of the mailwoman package in both of the open SBOM standards, so downstream teams can run their own supply-chain, license, and vulnerability tooling against Mailwoman without taking our word for anything.

Published artifacts

These document the production dependency closure of the top-level mailwoman package as published to npm — concrete versions, 389 transitive dependencies, development-only dependencies excluded (consumers never install those).

StandardSpec versionFile
SPDX2.3mailwoman-5.10.1.spdx.json (dataLicense: CC0-1.0)
CycloneDX1.5mailwoman-5.10.1.cdx.json

Both files are generated with the built-in npm sbom command (npm ≥ 9.5) — no third-party tooling in the trust path.

Standards adherence

We validate these files against each standard's reference tooling on every regeneration. The commands and their results:

SPDX — validated with the SPDX project's own reference library, spdx-tools (pyspdxtools, v0.8.5):

$ uvx --from spdx-tools pyspdxtools -i docs/static/sbom/mailwoman-5.10.1.spdx.json
$ echo $?
0

A zero exit with no reported issues is a clean pass.

CycloneDX — validated with the official cyclonedx-cli (v0.27.2) against the CycloneDX 1.5 JSON schema:

$ cyclonedx-cli validate --input-file docs/static/sbom/mailwoman-5.10.1.cdx.json --fail-on-errors
BOM validated successfully.

Regenerating

A single script produces and normalizesnormalizeStage 1 of the runtime pipeline: deterministic input preprocessing (Unicode NFC, punctuation normalization, whitespace collapse). Returns a NormalizedInput with an offsetMap that maps normalized positions back to the raw input. both files:

$ node scripts/generate-sbom.ts # documents the mailwoman version in this repo
$ node scripts/generate-sbom.ts --version 5.10.1

The generator packs the published tarball, installs its production closure, and runs npm sbom for each format, writing to docs/static/sbom/. It applies two small normalizations to npm's SPDX output so it passes the SPDX reference validator: the created timestamp is truncated to whole seconds (SPDX 2.3 forbids fractional seconds) and _ in an SPDXID is rewritten to - (the SPDXID character set is letters, numbers, ., and -). See the header of scripts/generate-sbom.ts for the full rationale.

Future releases regenerate these artifacts as a post-publish step; the version-stamped filenames mean each release keeps its own SBOM rather than overwriting the last.