Skip to content

feat: add switch --lockfile-only#490

Open
molikuner wants to merge 7 commits intoCycloneDX:mainfrom
molikuner:support-package-lock-only
Open

feat: add switch --lockfile-only#490
molikuner wants to merge 7 commits intoCycloneDX:mainfrom
molikuner:support-package-lock-only

Conversation

@molikuner
Copy link
Copy Markdown

@molikuner molikuner commented Mar 20, 2026
edited
Loading

Description

Using the new --lockfile-only flag it's possible to generate an SBOM locally, without connecting to the internet, even if the dependencies aren't cached or are inaccessible at the moment. It purely depends on the local files.

Resolves or fixes issue: #49

AI Tool Disclosure

  • My contribution does not include any AI-generated content

Affirmation

@molikuner
feat: introduce new --package-lock-only flag
3fb80a2 
Using this new flag it's possible to generate an SBOM locally, without
connecting to the internet, even if the dependencies aren't cached or
are inaccessible at the moment.

Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
@molikuner molikuner requested a review from a team as a code owner March 20, 2026 14:54
@jkowalleck jkowalleck linked an issue Mar 23, 2026 that may be closed by this pull request
option to not interact with installed project(cache/fs) #49
Open
@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Mar 23, 2026

love the implementation.
thank you very much for this.

could you add a README.md for the newly added testbed?

@molikuner
chore: Add README to package-lock-only testbed
c7624f3 
Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
@molikuner
Copy link
Copy Markdown
Author

molikuner commented Mar 24, 2026

Thanks @jkowalleck for looking at the PR. I've added a README.md to the testbed. Please let me know what you think.

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Mar 24, 2026

the implementation looks solid.
Could you update the projects readme and add the updated yarn cyclonedx --help page?

@molikuner
chore: Update README for new --package-lock-only option
048700f 
Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
@molikuner
Copy link
Copy Markdown
Author

molikuner commented Mar 24, 2026

Sorry, I've missed that before. I've now added the new option to the projects README. Do you want me to add anything else to the README?

jkowalleck
jkowalleck reviewed Mar 24, 2026
View reviewed changes
Comment thread README.md Outdated
@jkowalleck jkowalleck changed the title feat: introduce new --package-lock-only flag feat: add switch --package-lock-only Mar 25, 2026
@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Mar 25, 2026

Thank you for taking care of the feature.
Implementation looks solid.

some things dare still open:

@molikuner
chore: Reorder options by moving --package-lock-only to the top
7f02963 
Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
@molikuner molikuner force-pushed the support-package-lock-only branch from cb5a2f9 to 7f02963 Compare March 25, 2026 10:32
@molikuner
Copy link
Copy Markdown
Author

molikuner commented Mar 25, 2026

Thanks @jkowalleck for the review. I fixed the last commit missing the signoff. Please let me know in case anything else is missing.

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 13, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Apr 13, 2026
edited
Loading

@molikuner i am still thinking about the switch's name.
what do you think which suites better and is more natural to yarn?

  • --package-lock-only -- name borrowed from npm
  • --lockfile-only -

my concern - the word "package" in --package-lock-only is not quire right. it is a lock for the entire space, not just the package ...

@molikuner
Copy link
Copy Markdown
Author

molikuner commented Apr 17, 2026

Hey @jkowalleck,
I fully agree. In fact I had first implemented the switch named --lockfile-only but later changed it to --package-lock-only as the issue #49 mentioned this exact name. If you agree, I would go ahead and change the name.

@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented Apr 17, 2026

Hey @jkowalleck,
I fully agree. In fact I had first implemented the switch named --lockfile-only but later changed it to --package-lock-only as the issue #49 mentioned this exact name. If you agree, I would go ahead and change the name.

Yes, please go ahead.

@molikuner
fix: Rename --package-lock-only switch to --lockfile-only
21fc39b 
This change is to align the naming with yarn terminology. The previous
name was simply copied from npm.

Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
@molikuner molikuner changed the title feat: add switch --package-lock-only feat: add switch --lockfile-only Apr 20, 2026
@molikuner
chore: Fix lockfile-only README title
515bdba 
Signed-off-by: Florian Schreiber <florian.schreiber@free-now.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

option to not interact with installed project(cache/fs)

2 participants

@molikuner @jkowalleck