docs(sbom): Correct option name and document remaining flags

[sh-cho]

• --format -> --sbom-format
• Add other options in docs

Summary by CodeRabbit

• Documentation
  • Updated pnpm sbom command documentation with revised usage examples demonstrating proper command syntax and option combinations for Software Bill of Materials generation.
  • Provided comprehensive and detailed descriptions of all available configuration flags and their usage for customizing SBOM output format, type, dependency filtering, and metadata configuration.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

@sh-cho is attempting to deploy a commit to the pnpm Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pnpm sbom CLI documentation was updated to reflect interface changes: --format was renamed to --sbom-format, usage examples were expanded, and new options including --sbom-type, --lockfile-only, --sbom-authors, --sbom-supplier, and package-scope selectors were documented.

Changes

SBOM CLI Documentation

Layer / File(s)	Summary
Usage Examples docs/cli/sbom.md	Command invocations updated from --format to --sbom-format; new examples added demonstrating --lockfile-only and --prod flag combinations.
Options Reference docs/cli/sbom.md	Options section expanded to document --sbom-format <cyclonedx|spdx>, --sbom-type <library|application>, --lockfile-only, --sbom-authors, --sbom-supplier, and package-scope selectors (--prod/-P, --dev/-D, --no-optional).

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops with joy through docs so bright,
--format → --sbom-format now takes flight!
New flags bloom like clover green,
The clearest SBOM docs I've seen! 📋✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: correcting the option name from --format to --sbom-format and documenting additional SBOM-related flags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get your free trial and get 200 agent minutes per Slack user (a $50 value).

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/cli/sbom.md (2)

48-59: ⚡ Quick win

Document flag interaction/precedence for optional dependencies.

Right now:

• --prod/-P says it includes optionalDependencies
• --no-optional says it excludes optionalDependencies

But there’s no explicit note on what happens when both are provided. A short “--no-optional overrides optionalDependencies inclusion from --prod/-P” (or whatever the real precedence is) would remove ambiguity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/cli/sbom.md` around lines 48 - 59, The docs for SBOM flags are ambiguous
about interaction between --prod/-P and --no-optional; update the section
describing --prod, -P, --dev, -D and --no-optional to add a single clear
sentence that specifies precedence (e.g., state that --no-optional always
overrides inclusion of optionalDependencies even if --prod/-P is passed),
referencing the flags --prod/-P, --dev/-D and --no-optional and the term
optionalDependencies so readers can find and understand the rule.

---

40-47: ⚡ Quick win

Clarify whether --sbom-authors / --sbom-supplier apply to SPDX too.

The docs currently state these are written to metadata.authors / metadata.supplier in the CycloneDX output. If the flags are also supported for SPDX (or are ignored), the behavior should be explicitly documented to avoid user confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/cli/sbom.md` around lines 40 - 47, Update the SBOM docs for the flags
--sbom-authors and --sbom-supplier (the sections that currently say "Written to
`metadata.authors`" / "`metadata.supplier`" in the CycloneDX output) to
explicitly state their behavior for SPDX output as well: if these flags are
mapped into SPDX fields, document the exact SPDX properties used (e.g., "Written
to SPDX `documentNamespace`/`creator` or `creators`" or whatever mapping your
code implements); if they are ignored for SPDX, state that they are only applied
to CycloneDX output and are ignored for SPDX. Mention the flags by name
(--sbom-authors, --sbom-supplier) so readers can locate the relevant doc
sections.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/cli/sbom.md`:
- Around line 26-29: The option heading placeholders in docs/cli/sbom.md include
stray backslashes before the closing angle entity (e.g., "### --sbom-format
<cyclonedx|spdx\>") which can render incorrectly; remove the extraneous
"\" before each ">" so headings like "--sbom-format <cyclonedx|spdx>",
"--sbom-type <library|application>", and the name/list placeholders
"<names>" and "<name>" (appearing around the blocks you flagged,
lines ~26–47) use properly escaped HTML entities without the backslash.

---

Nitpick comments:
In `@docs/cli/sbom.md`:
- Around line 48-59: The docs for SBOM flags are ambiguous about interaction
between --prod/-P and --no-optional; update the section describing --prod, -P,
--dev, -D and --no-optional to add a single clear sentence that specifies
precedence (e.g., state that --no-optional always overrides inclusion of
optionalDependencies even if --prod/-P is passed), referencing the flags
--prod/-P, --dev/-D and --no-optional and the term optionalDependencies so
readers can find and understand the rule.
- Around line 40-47: Update the SBOM docs for the flags --sbom-authors and
--sbom-supplier (the sections that currently say "Written to `metadata.authors`"
/ "`metadata.supplier`" in the CycloneDX output) to explicitly state their
behavior for SPDX output as well: if these flags are mapped into SPDX fields,
document the exact SPDX properties used (e.g., "Written to SPDX
`documentNamespace`/`creator` or `creators`" or whatever mapping your code
implements); if they are ignored for SPDX, state that they are only applied to
CycloneDX output and are ignored for SPDX. Mention the flags by name
(--sbom-authors, --sbom-supplier) so readers can locate the relevant doc
sections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 476feb6c-8cc0-49b5-aaf1-c6d2fcd34b93

📥 Commits

Reviewing files that changed from the base of the PR and between 1a990a1 and 8dad0d7.

📒 Files selected for processing (1)

• docs/cli/sbom.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed escaped placeholders (likely stray \ before >).

In the option headings, the argument placeholders include a trailing backslash (e.g. <cyclonedx|spdx\>, <library|application\>, <names\>, <name\>). That can render incorrectly in the docs.

🛠️ Proposed fix

-### --sbom-format <cyclonedx|spdx\>
+### --sbom-format <cyclonedx|spdx>

-### --sbom-type <library|application\>
+### --sbom-type <library|application>

-### --sbom-authors <names\>
+### --sbom-authors <names>

-### --sbom-supplier <name\>
+### --sbom-supplier <name>

Also applies to: 30-35, 40-47

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/cli/sbom.md` around lines 26 - 29, The option heading placeholders in
docs/cli/sbom.md include stray backslashes before the closing angle entity
(e.g., "### --sbom-format <cyclonedx|spdx\>") which can render
incorrectly; remove the extraneous "\" before each ">" so headings like
"--sbom-format <cyclonedx|spdx>", "--sbom-type
<library|application>", and the name/list placeholders "<names>" and
"<name>" (appearing around the blocks you flagged, lines ~26–47) use
properly escaped HTML entities without the backslash.