CycloneDX · jkowalleck · Mar 2, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
@@ -364,9 +364,6 @@ jobs:
       - name: run example
         run: node -- 'example.${{ matrix.js-type }}'
         working-directory: ${{ env.EXAMPLE_DIR }}
-      - name: run deprecated
-        run: node -- 'deprecated.${{ matrix.js-type }}'
-        working-directory: ${{ env.EXAMPLE_DIR }}
 
   example-TS:
     needs: [ 'build' ]

@@ -6,6 +6,84 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* BREAKING changes
+  * Removed deprecated symbols
+  * Removed PackageUrl factories
+  * No longer use external standards' implementations directly
+* Removed
+  * Entrypoint `Builders` (via [#1377])
+  * Entrypoint `Factories` (via [#1377])
+  * Entrypoint `Utils` (via [#1377])
+  * Entrypoint `Contrib/PackageUrl` (via [#1378])
+  * Deprecated symbol `Builders` ([#1346] via [#1377])
+  * Deprecated symbol `Builders.FromNodePackageJson` ([#1346] via [#1377])
+  * Deprecated symbol `Builders.FromNodePackageJson.ToolBuilder` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Builders.ToolBuilder` instead.
+  * Deprecated symbol `Builders.FromNodePackageJson.ComponentBuilder` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Builders.ComponentBuilder` instead.
+  * Deprecated symbol `Factories` ([#1346] via [#1377])
+  * Deprecated symbol `Factories.FromNodePackageJson` ([#1346] via [#1377])
+  * Deprecated symbol `Factories.FromNodePackageJson.ExternalReferenceFactory` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Factories.ExternalReferenceFactory` instead.
+  * Deprecated symbol `Factories.FromNodePackageJson.PackageUrlFactory` ([#1346] via [#1377])  
+    Use `packageurl-js` downstream.
+  * Deprecated symbol `Factories.LicenseFactory` ([#1346], [#1348] via [#1377], [#1378])  
+    Use `Contrib.License.Factories.LicenseFactory` instead.
+  * Deprecated symbol `Factories.PackageUrlFactory` ([#1346] via [#1377])  
+    Use `packageurl-js` downstream.
+  * Deprecated symbol `Types.NodePackageJson` ([#1346], [#1348] via [#1377], [#1378])  
+    Use `Contrib.FromNodePackageJson.Types.NodePackageJson` instead.
+  * Deprecated symbol `Types.assertNodePackageJson` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Types.assertNodePackageJson` instead.
+  * Deprecated symbol `Types.isNodePackageJson` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Types.isNodePackageJson` instead.
+  * Deprecated symbol `Utils` ([#1346] via [#1377])
+  * Deprecated symbol `Utils.BomUtility` ([#1346] via [#1377])
+  * Deprecated symbol `Utils.BomUtility.randomSerialNumber` ([#1346] via [#1377])  
+    Use `Contrib.Bom.Utils.randomSerialNumber` instead.
+  * Deprecated symbol `Utils.LicenseUtility` ([#1346] via [#1377])
+  * Deprecated symbol `Utils.LicenseUtility.FsUtils` ([#1346] via [#1377])  
+    Use `Contrib.License.Utils.FsUtils` instead.
+  * Deprecated symbol `Utils.LicenseUtility.PathUtils` ([#1346] via [#1377])
+  * Use `Contrib.License.Utils.PathUtils` instead.
+  * Deprecated symbol `Utils.LicenseUtility.FileAttachment` ([#1346] via [#1377])  
+    Use `Contrib.License.Utils.FileAttachment` instead.
+  * Deprecated symbol `Utils.LicenseUtility.ErrorReporter` ([#1346] via [#1377])  
+    Use `Contrib.License.Utils.ErrorReporter` instead.
+  * Deprecated symbol `Utils.LicenseUtility.LicenseEvidenceGatherer` ([#1346] via [#1377])  
+    Use `Contrib.License.Utils.LicenseEvidenceGatherer` instead.
+  * Deprecated symbol `Utils.NpmjsUtility` ([#1346] via [#1377])
+  * Deprecated symbol `Utils.NpmjsUtility.parsePackageIntegrity` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Utils.parsePackageIntegrity` instead.
+  * Deprecated symbol `Utils.NpmjsUtility.defaultRegistryMatcher` ([#1346] via [#1377])  
+    Use `Contrib.FromNodePackageJson.Utils.defaultRegistryMatcher` instead.
+  * Symbol `Contrib.PackageUrl.Factories.PackageUrlFactory` ([#1348] via [#1378])  
+    Use `packageurl-js` downstream.
+  * Symbol `Contrib.FromNodePackageJson.Factories.PackageUrlFactory` ([#1348] via [#1378])  
+    Use `packageurl-js` downstream.
+  * Symbol `SPDX.isValidSpdxLicenseExpression` ([#1348] via [#1382])  
+    Use package `spdx-expression-parse` instead.
+* Changed
+  * `Component.purl` is a `string` now, was `PackaheUrl` ([#1348] via [#1379])
+  * Constructor of `Contrib.License.Factories.LicenseFactory` got an injectable argument `spdxExpressionValidate` for validating SPDX License Expressions ([#1348] via [#1382])  
+    Suggested implementation is `spdx-expression-parse`.
+* Dependencies
+  * Dependency `packageurl-js` became a suggested (optional peer-dependency) library ([#1348] via [#1378])  
+    You may use it to craft and parse PackageURLs downstream.
+  * Dependency `spdx-expression-parse` became a suggested (optional peer-dependency) library ([#1348] via [#1382])  
+    Used as an injectable in `Contrib.License.Factories.LicenseFactory.constructor`.
+* Chore
+  * Set dev-engines in `package.json` ([#1301] via [#1380])
+
+[#1301]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1301
+[#1346]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1346
+[#1348]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1348
+[#1377]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1377
+[#1378]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1378
+[#1379]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1379
+[#1380]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1380
+[#1382]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1382
+
 ## 9.5.0 -- 2026-03-02
 
 * Added

@@ -82,7 +82,6 @@ written in _TypeScript_ and compiled for the target.
   * Gather license evidences from files (for _Node.js_ only)
 * Factories for the following use cases:
   * Create data models from any license descriptor string
-  * Create `PackageURL` from `Component` data models
   * Specific to _Node.js_: create data models from PackageJson-like data structures and derived data
 * Builders for the following use cases:
   * Specific to _Node.js_: create deep data models `Tool` or `Component` from PackageJson-like data structures
@@ -135,6 +134,12 @@ Some features require optional peer dependencies — see `package.json` for vers
   * [`libxmljs2`](https://www.npmjs.com/package/libxmljs2)  
     * the system might need to meet the requirements for [`node-gyp`](https://github.com/TooTallNate/node-gyp#installation), in certain cases.
 
+In addition, we have some suggestions for related 3rd-party standards:
+* [`packageurl-js`](https://www.npmjs.com/package/packageurl-js)
+  for crafting and parsing PackageURLs.
+* [`spdx-expression-parse`](https://www.npmjs.com/package/spdx-expression-parse)
+  for validating SPDX License Expressions.
+
 ## Usage
 
 See extended [examples].

@@ -25,8 +25,10 @@ const CDX = require('@cyclonedx/cyclonedx-library')
 //    const { Bom, Component } = require('@cyclonedx/cyclonedx-library/Models')
 //    const { ComponentType } = require('@cyclonedx/cyclonedx-library/Enums')
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
-const purlFac = new CDX.Contrib.PackageUrl.Factories.PackageUrlFactory('generic')
+const spdxExpressionParser = require('spdx-expression-parse')
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(
@@ -44,7 +46,7 @@ const componentA = new CDX.Models.Component(
   }
 )
 componentA.licenses.add(lFac.makeFromString('Apache-2.0'))
-componentA.purl = purlFac.makeFromComponent(componentA)
+componentA.purl = `pkg:generic/${componentA.group}/${componentA.name}@${componentA.version}`
 
 bom.components.add(componentA)
 bom.metadata.component.dependencies.add(componentA.bomRef)

@@ -25,8 +25,10 @@ import * as CDX from '@cyclonedx/cyclonedx-library'
 //    import { Bom, Component } from '@cyclonedx/cyclonedx-library/Models'
 //    import { ComponentType } from '@cyclonedx/cyclonedx-library/Enums'
 
-const lFac = new CDX.Contrib.License.Factories.LicenseFactory()
-const purlFac = new CDX.Contrib.PackageUrl.Factories.PackageUrlFactory('generic')
+import spdxExpressionParser from 'spdx-expression-parse'
+
+
+const lFac = new CDX.Contrib.License.Factories.LicenseFactory(spdxExpressionParser)
 
 const bom = new CDX.Models.Bom()
 bom.metadata.component = new CDX.Models.Component(
@@ -44,7 +46,7 @@ const componentA = new CDX.Models.Component(
   }
 )
 componentA.licenses.add(lFac.makeFromString('Apache-2.0'))
-componentA.purl = purlFac.makeFromComponent(componentA)
+componentA.purl = `pkg:generic/${componentA.group}/${componentA.name}@${componentA.version}`
 
 bom.components.add(componentA)
 bom.metadata.component.dependencies.add(componentA.bomRef)

@@ -8,6 +8,7 @@
   },
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "file:../../..",
+    "spdx-expression-parse": "^3.0.1||^4",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {

@@ -8,6 +8,7 @@
   },
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "file:../../../..",
+    "spdx-expression-parse": "^3.0.1||^4",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {
@@ -18,11 +19,12 @@
   },
   "devDependencies": {
     "@types/node": "*",
+    "@types/spdx-expression-parse": "^3",
     "typescript": "^3.8 || ^4 || ^5"
   },
   "scripts": {
     "prebuild": "tsc -b --clean",
     "build": "tsc -b",
-    "example": "node dist/example.js && node dist/deprecated.js"
+    "example": "node dist/example.js"
   }
 }