Skip to content

[BUG] npm sbom does not create suitable external references for git repository settings in some packages #9144

New issue
New issue
Open
Open
[BUG] npm sbom does not create suitable external references for git repository settings in some packages#9144
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@andrewjmaguire

Description

@andrewjmaguire
andrewjmaguire
opened on Mar 23, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm sbom does not create suitable external references for git repository settings in some packages.
For example, package @pkgjs/parseargs@0.11.0 has in its package.json file:

  "repository": {
    "type": "git",
    "url": "git@github.com:pkgjs/parseargs.git"
  },

However, npm sbom will create a component for this package with the following external reference:

      "externalReferences": [
        ...
        {
          "type": "vcs",
          "url": "git@github.com:pkgjs/parseargs.git"  
        },
        ...

The url is not in a valid format to meet RFC 3987.
This can be also be seen failing the CycloneDX SBOM validation in Dependency-Track v4.13.5 i.e.

Error: $.components[264].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference
Error: $.components[264].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference
Error: $.components[264].externalReferences[1].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$
Error: $.components[264].externalReferences[1].url: does not match the iri-reference pattern must be a valid RFC 3987 IRI-reference
Error: $.components[264].externalReferences[1].url: does not match the regex pattern ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$

Expected Behavior

Generated sbom file should be loadable into Dependency Track for example and pass its validation.

Steps To Reproduce

  1. nvm use 25
  2. npm sbom
  3. With some packages like parseargs
  4. Run 'npm sbom'
  5. Inspect output and look in components->externalReferences->url values that start with git@...

Environment

  • npm: 25
  • Node.js:
  • OS Name: ubuntu
  • System Model Name:
  • npm config:
; "project" config from /home/NAME/git/eroll/.npmrc

engine-strict = true

; node bin location = /home/NAME/.nvm/versions/node/v25.8.1/bin/node
; node version = v25.8.1
; npm local prefix = /home/NAME/git/eroll
; npm version = 11.11.0
; cwd = /home/NAME/git/eroll
; HOME = /home/NAME
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions