Do not close, waiting for 1.1.11 to come out of the pending state!

Output of pnpm why action:

@malice00 do you know what is better than pnpm why? Run cdxgen with --only filter! Since cdxgen supports github actions, pnpm etc we will get a filtered sbom with only the components and dependency tree we need for reviewing the PRs

--only may not work, since the tree would also get trimmed. We need cdxgen | ripgrep -A20 "search string"

Let me see what I can do...

@prabhu Is there a reason you are using 'ripgrep'?? Normal 'grep' gives the same results! But grepping with '-A20' is kind of random, imho... But we'll see if this works for us, we can always update again if the results are not quite as expected.

@malice00 happy with normal grep too. The idea is to make it present some surrounding lines from the sbom, including dependency trees. It could even be a contrib script in cdxgen that could use github api to get the changed lines and compute the equivalent diff in the sbom.

Running on GH-actions is useless, these are single components without any dependencies. Sticking with just checking for updates to the node dependencies.

cdxgen's support for github actions is quite basic. For example, after we started using the pin digest, cdxgen reports the digest as the version number and completely lose the semantic version. Therefore, tools like depscan and DT are unlikely to report any vulnerabilities :(

We have the version in the comment, so we can probably fix that relatively easy... But if it's not there, then we may need some other way to solve it -- not sure who has the information about vulnerabilities, but we maybe we can put the hash somewhere and use that?

v1.1.10 works as well. Merging and having renovate open a new PR for 1.1.11.

Good idea about collecting the hashes in the vulnerability data. Will look into this sometime.