feat!: remove spdx expression validation (#1382)

<!--🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅

You can expedite processing of your PR by using this template to provide
context
and additional information. Before actually opening a PR please make
sure that it
does NOT fall into any of the following categories

🚫 Spam PRs (accidental or intentional) - these will result in a 30-days
or even
∞ ban from interacting with the project depending on reoccurrence and
severity.

🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only
be merged
if all other typos in the same file are also fixed with the same PR

🚫 If you fail to provide any _Description_ below, your PR will be
considered spam.
If you do not check the _Affirmation_ box below, your PR will not be
merged.

🚫 If you do not check one of the _AI Tool Disclosure_ boxes below, your
PR will
not be merged. If you used AI tools to assist you in writing code, but
fail to
provide the required disclosure, your PR will not be merged.

🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅-->

### Description

<!-- ✍️-->

* Constructor of `Contrib.License.Factories.LicenseFactory` got an
injectable argument `spdxExpressionValidate` for validating SPDX
Expressions
* Dependency `spdx-expression-parse` became a suggested (optional
peer-dependency) library
Used as an injectable in
`Contrib.License.Factories.LicenseFactory.constructor`.

Resolves or fixes issue: <!-- ✍️ Add GitHub issue number in format
`#0000` or `none` -->

### AI Tool Disclosure

- [x] My contribution does not include any AI-generated content
- [ ] My contribution includes AI-generated content, as disclosed below:
  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]`
- LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro
etc.]`
- Prompts: `[Summarize the key prompts or instructions given to the AI
tools]`

### Affirmation

- [x] My code follows the
[CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md)
guidelines

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

HISTORY.md

@@ -59,8 +59,12 @@ All notable changes to this project will be documented in this file.
   * Symbol `Contrib.FromNodePackageJson.Factories.PackageUrlFactory` ([#1348] via [#1378])
 * Changed
   * `Component.purl` is a `string` now, was `PackaheUrl` ([#1348] via [#1379])
+  * Constructor of `Contrib.License.Factories.LicenseFactory` got an injectable argument `spdxExpressionValidate` for validating SPDXExpressions ([#1348] via [#1382])  
+    Suggested implementation is `spdx-expression-parse`.
 * Dependencies
   * No longer depend on `packageurl-js@^2.0.1` ([#1348] via [#1378])
+  * Dependency `spdx-expression-parse` became a suggested (optional peer-dependency) library ([#1348] via [#1382])  
+    Used as an injectable in `Contrib.License.Factories.LicenseFactory.constructor`.
 * Build
   * Use _webpack_ `5.105.2` now, was `v5.103.0` (via [#1360], [#1374])
 * Chore
@@ -75,6 +79,7 @@ All notable changes to this project will be documented in this file.
 [#1378]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1378
 [#1379]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1379
 [#1380]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1380
+[#1382]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1382
 
 ## 9.4.1 -- 2025-12-04
 

examples/node/javascript/example.cjs

@@ -25,7 +25,10 @@ const CDX = require('@cyclonedx/cyclonedx-library')
 //    const { Bom, Component } = require('@cyclonedx/cyclonedx-library/Models')
 //    const { ComponentType } = require('@cyclonedx/cyclonedx-library/Enums')
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
+const spdxExpressionParser = require('spdx-expression-parse')
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(

examples/node/javascript/example.mjs

@@ -25,7 +25,10 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 //    import { Bom, Component } from '@cyclonedx/cyclonedx-library/Models'
 //    import { ComponentType } from '@cyclonedx/cyclonedx-library/Enums'
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
+import spdxExpressionParser from 'spdx-expression-parse'
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(

examples/node/javascript/package.json

@@ -8,6 +8,7 @@
   },
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "file:../../..",
+    "spdx-expression-parse": "^3.0.1||^4",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {

examples/node/typescript/example.cjs/package.json

@@ -8,6 +8,7 @@
   },
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "file:../../../..",
+    "spdx-expression-parse": "^3.0.1||^4",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {
@@ -18,6 +19,7 @@
   },
   "devDependencies": {
     "@types/node": "*",
+    "@types/spdx-expression-parse": "^3",
     "typescript": "^3.8 || ^4 || ^5"
   },
   "scripts": {

examples/node/typescript/example.cjs/src/example.ts

@@ -25,7 +25,10 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 //    import { Bom, Component } from '@cyclonedx/cyclonedx-library/Models'
 //    import { ComponentType } from '@cyclonedx/cyclonedx-library/Enums'
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
+import * as spdxExpressionParser from 'spdx-expression-parse'
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(

examples/node/typescript/example.mjs/package.json

@@ -8,6 +8,7 @@
   },
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "file:../../../..",
+    "spdx-expression-parse": "^3.0.1||^4",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {
@@ -18,6 +19,7 @@
   },
   "devDependencies": {
     "@types/node": "*",
+    "@types/spdx-expression-parse": "^3",
     "typescript": "^4 || ^5"
   },
   "scripts": {

examples/node/typescript/example.mjs/src/example.ts

@@ -25,7 +25,10 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 //    import { Bom, Component } from '@cyclonedx/cyclonedx-library/Models'
 //    import { ComponentType } from '@cyclonedx/cyclonedx-library/Enums'
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
+import spdxExpressionParser from 'spdx-expression-parse'
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(

examples/web/parcel/package.json

@@ -4,7 +4,8 @@
   "license": "Apache-2.0",
   "source": "src/index.html",
   "dependencies": {
-    "@cyclonedx/cyclonedx-library": "file:../../.."
+    "@cyclonedx/cyclonedx-library": "file:../../..",
+    "spdx-expression-parse": "^3.0.1||^4"
   },
   "devDependencies": {
     "parcel": "^2"

examples/web/parcel/src/app.js

@@ -22,7 +22,10 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 const CDX = require('@cyclonedx/cyclonedx-library')
 // full Library is available as `CDX`, now
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
+const spdxExpressionParser = require('spdx-expression-parse')
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(