{"id":45694051,"url":"https://github.com/janbiasi/rollup-plugin-sbom","last_synced_at":"2026-05-24T17:08:45.589Z","repository":{"id":208617367,"uuid":"718681356","full_name":"janbiasi/rollup-plugin-sbom","owner":"janbiasi","description":"Create SBOMs in CycloneDX format for your Vite or Rollup projects with ease","archived":false,"fork":false,"pushed_at":"2026-02-18T09:00:27.000Z","size":991,"stargazers_count":17,"open_issues_count":3,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-02-18T10:59:44.614Z","etag":null,"topics":["rollup-plugin","sbom","sbom-generator","vite-plugin"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/rollup-plugin-sbom","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/janbiasi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["janbiasi"],"ko_fi":"janbiasi"}},"created_at":"2023-11-14T15:29:32.000Z","updated_at":"2026-02-18T08:53:31.000Z","dependencies_parsed_at":"2024-12-09T03:31:45.984Z","dependency_job_id":"ad38ab8f-e81a-4b3c-82f3-21fc11eb3e8c","html_url":"https://github.com/janbiasi/rollup-plugin-sbom","commit_stats":{"total_commits":64,"total_committers":5,"mean_commits":12.8,"dds":0.296875,"last_synced_commit":"743af95dd4c9e69b38314ad8cc79b6b351b38e35"},"previous_names":["janbiasi/rollup-plugin-sbom"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/janbiasi/rollup-plugin-sbom","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janbiasi%2Frollup-plugin-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janbiasi%2Frollup-plugin-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janbiasi%2Frollup-plugin-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janbiasi%2Frollup-plugin-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/janbiasi","download_url":"https://codeload.github.com/janbiasi/rollup-plugin-sbom/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janbiasi%2Frollup-plugin-sbom/sbom","scorecard":{"id":1236658,"data":{"date":"2025-08-28T22:39:27Z","repo":{"name":"github.com/janbiasi/rollup-plugin-sbom","commit":"4a34b29b00822b975bf18e2567cfc0dfb7a86932"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":7.9,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ci.yml:52","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:19","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:11","Info: jobLevel 'actions' permission set to 'read': .github/workflows/osv-scan-pr.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/osv-scan-pr.yml:21","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/osv-scan-pr.yml:19","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/osv-scan-scheduled.yml:15","Info: jobLevel 'actions' permission set to 'read': .github/workflows/osv-scan-scheduled.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/osv-scan-scheduled.yml:17","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/stale.yml:13","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/dependency-review.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:6","Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:18","Info: topLevel 'actions' permission set to 'read': .github/workflows/osv-scan-pr.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/osv-scan-pr.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/osv-scan-scheduled.yml:9","Info: topLevel 'actions' permission set to 'read': .github/workflows/osv-scan-scheduled.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yml:7"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  15 out of  15 GitHub-owned GitHubAction dependencies pinned","Info:   4 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Contributors","score":10,"reason":"project has 6 contributing companies or organizations","details":["Info: found contributions from: fanscore-ch, rheinklang, s2s-ventures, seekme-io, st.galler kantonalbank ag | @stgallerkb, stgallerkb"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"5 out of 5 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-78h3-pg4x-j8cv","Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx","Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-09-01T07:45:01.233Z","repository_id":208617367,"created_at":"2025-09-01T07:45:01.233Z","updated_at":"2025-09-01T07:45:01.233Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29796783,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T16:37:37.581Z","status":"ssl_error","status_checked_at":"2026-02-24T16:37:37.074Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rollup-plugin","sbom","sbom-generator","vite-plugin"],"created_at":"2026-02-24T19:01:40.722Z","updated_at":"2026-02-24T19:02:22.405Z","avatar_url":"https://github.com/janbiasi.png","language":"TypeScript","funding_links":["https://github.com/sponsors/janbiasi","https://ko-fi.com/janbiasi"],"categories":[],"sub_categories":[],"readme":"[![CI](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml) [![CodeQL](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql) ![npm](https://img.shields.io/npm/v/rollup-plugin-sbom)\n![npm peer dependency version (scoped)](https://img.shields.io/npm/dependency-version/rollup-plugin-sbom/peer/rollup?logo=rollupdotjs\u0026color=%23EA483F) ![img](https://img.shields.io/badge/semver-2.0.0-green?logo=semver) ![npm type definitions](https://img.shields.io/npm/types/rollup-plugin-sbom) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/janbiasi/rollup-plugin-sbom/badge)](https://securityscorecards.dev/viewer/?uri=github.com/janbiasi/rollup-plugin-sbom) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8443/badge)](https://www.bestpractices.dev/projects/8443) ![NPM Downloads](https://img.shields.io/npm/dm/rollup-plugin-sbom)\n\n# rollup-plugin-sbom\n\nCreate [SBOMs]() _(Software Bill of Materials)_ in [CycloneDX](https://cyclonedx.org/) format for your [Vite](https://vitejs.dev/) and [Rollup](https://rollupjs.org/) projects, including only the software you're really shipping to production.\n\n\u003e A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.\n\u003e\n\u003e – [CISA (.gov)](https://www.cisa.gov) [[full article](https://www.cisa.gov/sbom)]\n\n## Documentation\n\n- [Requirements and compatibility](#requirements-and-compatibility)\n- [Installation](#installation)\n- [Usage guide](#usage)\n  - [Usage with Vite](#usage-with-vite)\n  - [Usage with Rollup](#usage-with-rollup)\n  - [Configuration options and defaults](#configuration-options)\n  - [Debugging](#debugging)\n  - [Sequence chart](#sequence-chart)\n- [Contributing](#contributing)\n  - [Contribution workflow](#workflow)\n  - [Make your first contribution](#good-first-issues)\n  - [Contributors](#contributors)\n\n---\n\n### Requirements and Compatibility\n\n| Plugin | Vite       | Rollup | Node       | CDX Spec |\n| ------ | ---------- | ------ | ---------- | -------- |\n| v1     | v4, v5     | v3, v4 | 18, 20     | 1.5      |\n| v2     | v4, v5, v6 | v3, v4 | 18, 20, 22 | 1.6      |\n| v3     | v5, v6, v7 | v4     | 20, 22, 24 | 1.6      |\n\nWe're always supporting LTS Node.js versions and versions which still have security support.\nPlugin support will be dropped once a Node.js version reaches its final EOL.\n\n### Installation\n\nYou can install the plugin via [NPM](https://www.npmjs.com/package/rollup-plugin-sbom) with your favorite package manager:\n\n```sh\nnpm install --save-dev rollup-plugin-sbom\npnpm install -D rollup-plugin-sbom\nyarn add --dev rollup-plugin-sbom\n```\n\n### Usage\n\n#### Usage with [Vite](https://vitejs.dev/)\n\n```ts\nimport { defineConfig } from \"vite\";\nimport sbom from \"rollup-plugin-sbom\";\n\nexport default defineConfig({\n  plugins: [sbom()],\n});\n\n// or\n\nexport default defineConfig({\n  build: {\n    rollupOptions: {\n      plugins: [rollupPluginSbom],\n    },\n  },\n});\n```\n\n#### Usage with [Rollup](https://rollupjs.org/)\n\n```js\nimport sbom from \"rollup-plugin-sbom\";\n\nexport default {\n  plugins: [sbom()],\n};\n```\n\n#### Configuration Options\n\n| Name                | Default       | Description                                                                                 |\n| ------------------- | ------------- | ------------------------------------------------------------------------------------------- |\n| `specVersion`       | `1.6`         | The CycloneDX specification version to use                                                  |\n| `rootComponentType` | `application` | The root component type, can be `library` or `application`                                  |\n| `outDir`            | `cyclonedx`   | The output directory where the BOM file will be saved.                                      |\n| `outFilename`       | `bom`         | The base filename for the SBOM files.                                                       |\n| `outFormats`        | `['json']`    | The formats to output. Can be any of `json` and `xml` (note: `xml` requires `xmlbuilder2`). |\n| `saveTimestamp`     | `true`        | Whether to save the timestamp in the BOM metadata.                                          |\n| `autodetect`        | `true`        | Whether to get the root package registered automatically.                                   |\n| `generateSerial`    | `false`       | Whether to generate a serial number for the BOM.                                            |\n| `includeWellKnown`  | `true`        | Whether to generate a SBOM in the `well-known` directory.                                   |\n| `supplier`          | -             | Provide organizational entity information                                                   |\n| `beforeCollect`     | -             | Enhance the BOM before before collecting dependencies                                       |\n| `afterCollect`      | -             | Transform the BOM before after collecting dependencies                                      |\n\n### Optional Peer Dependencies\n\nSome features require optional peer dependencies — see package.json for version details.\n\n- Serialization to XML on Node.js requires any of:\n  - `xmlbuilder2`\n\n### Debugging\n\nThis plugin added `debug` logs to gather information about how your SBOM is built so you can\nunderstand why which dependency was added to the graph. To enable debugging, you can set the `logLevel` option to `\"debug\"`.\n\n```ts\n// rollup\nexport default {\n  logLevel: \"debug\",\n};\n\n// vite\nexport default defineConfig({\n  build: {\n    rollupOptions: {\n      logLevel: \"debug\",\n    },\n  },\n});\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eExample output from our \u003ca href=\"./test/fixtures/resolution/\"\u003etest fixture \"resolution\"\u003c/a\u003e\u003c/summary\u003e\n\nGeneral advice on when and how to read the debug information:\n\n- Find out which tools are registered (`Registering tool \u003cname\u003e`)\n- Find out which generated bundles are analyzed (`Processing generated module \u003cfilename\u003e`)\n- Check analyzed third party modules and their tree (`Processing \u003cvendor-module\u003e (imported by \u003cfilename\u003e - depends on \u003ctransitive-deps\u003e)`)\n\n```text\n[plugin rollup-plugin-sbom] Autodetection enabled, trying to resolve root component\n[plugin rollup-plugin-sbom] Saving timestamp to SBOM\n[plugin rollup-plugin-sbom] Generating serial number for SBOM\n[plugin rollup-plugin-sbom] Registering tool rollup-plugin-sbom\n[plugin rollup-plugin-sbom] Registering tool vite\n[plugin rollup-plugin-sbom] Registering tool rollup\n[plugin rollup-plugin-sbom] Processing generated module \"index.js\"\n[plugin rollup-plugin-sbom] Found 4 external modules within \"index.js\"\n[plugin rollup-plugin-sbom] Found 3 unique external modules accross all bundles\n[plugin rollup-plugin-sbom] Processing a (imported by /rollup-plugin-sbom/test/fixtures/resolution/node_modules/a/index.js - depends on c)\n[plugin rollup-plugin-sbom] Attaching nested dependency \"c\" to parent component a\n[plugin rollup-plugin-sbom] Processing c (imported by /rollup-plugin-sbom/test/fixtures/resolution/node_modules/a/node_modules/c/index.js - depends on none)\n[plugin rollup-plugin-sbom] Processing side-effect (imported by /rollup-plugin-sbom/test/fixtures/resolution/node_modules/b/node_modules/side-effect/index.js - depends on none)\n[plugin rollup-plugin-sbom] Processing b (imported by /rollup-plugin-sbom/test/fixtures/resolution/node_modules/b/index.js - depends on a, side-effect)\n[plugin rollup-plugin-sbom] Attaching nested dependency \"a\" to parent component b\n[plugin rollup-plugin-sbom] Processing a (imported by /rollup-plugin-sbom/test/fixtures/resolution/node_modules/b/node_modules/a/index.js - depends on none)\n[plugin rollup-plugin-sbom] Attaching nested dependency \"side-effect\" to parent component b\n[plugin rollup-plugin-sbom] Emitting SBOM asset to plugin-outdir/filename.json\n[plugin rollup-plugin-sbom] Emitting SBOM asset to plugin-outdir/filename.xml\n[plugin rollup-plugin-sbom] Emitting well-known file to .well-known/sbom\n```\n\n\u003c/details\u003e\n\n### Sequence chart\n\n```mermaid\nsequenceDiagram\n  participant Bundler\n  box Hook Phases\n    participant SB as Start Build\n    participant MP as Module Parsed\n    participant GB as Generate Bundle\n    participant EF as Emit Files\n  end\n  box Plugin\n    participant AN as Analyzer\n    participant PR as Package Registry\n  end\n  activate Bundler\n  activate SB\n    Bundler-\u003e\u003eSB: Register Root Component\n    Bundler-\u003e\u003eSB: Register Tools\n  deactivate SB\n  Bundler--\u003e\u003eMP: Invoke for each module\n  activate MP\n    MP--\u003e\u003ePR: Find and load package.json\n  deactivate MP\n  activate GB\n    Bundler-\u003e\u003eGB: Invoke with generated chunks\n    AN-\u003e\u003eAN: Build tree (recursive)\n    GB-\u003e\u003eAN: Analyze generated chunk\n    AN-\u003e\u003eGB: Send module tree\n    GB-\u003e\u003ePR: Request package.json for module\n    PR-\u003e\u003eGB: Return normalized package\n    GB-\u003e\u003eEF: Emit SBOM files\n    GB-\u003e\u003eEF: Emit Well Known\n  deactivate GB\n  EF-\u003e\u003eBundler: Finish build\n  deactivate Bundler\n```\n\n## Contributing\n\nThe main purpose of this repository is to continue evolving the plugin, making it faster and easier to use. We are grateful to the community for contributing bugfixes and improvements. Read below to learn how you can take part in improving the plugin.\n\n### Workflow\n\n1. Fork the repository to your personal account\n2. Ensure that all tests succeed (`pnpm build-fixtures` \u0026 `pnpm test`)\n3. Propose changes within a PR to the original repository and write down the information required by the [pull request template](./.github/pull_request_template.md)\n4. Wait for an approval for running the required [workflow checks](./.github/workflows/ci.yml) and a code-review from one of the maintainers\n\n### Good First Issues\n\nWe have a list of [good first issues](https://github.com/janbiasi/rollup-plugin-sbom/labels/good%20first%20issue) that contain bugs that have a relatively limited scope. This is a great place to get started.\n\n### Contributors\n\nThanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/janbiasi\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/4563751?v=4?s=100\" width=\"100px;\" alt=\"Jan R. Biasi\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eJan R. Biasi\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"#business-janbiasi\" title=\"Business development\"\u003e💼\u003c/a\u003e \u003ca href=\"#question-janbiasi\" title=\"Answering Questions\"\u003e💬\u003c/a\u003e \u003ca href=\"#mentoring-janbiasi\" title=\"Mentoring\"\u003e🧑‍🏫\u003c/a\u003e \u003ca href=\"https://github.com/janbiasi/rollup-plugin-sbom/commits?author=janbiasi\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/boostvolt\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/51777660?v=4?s=100\" width=\"100px;\" alt=\"Jan Kott\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eJan Kott\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/janbiasi/rollup-plugin-sbom/commits?author=boostvolt\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#ideas-boostvolt\" title=\"Ideas, Planning, \u0026 Feedback\"\u003e🤔\u003c/a\u003e \u003ca href=\"#content-boostvolt\" title=\"Content\"\u003e🖋\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/xenobytezero\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/5059527?v=4?s=100\" width=\"100px;\" alt=\"xenobytezero\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003exenobytezero\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/janbiasi/rollup-plugin-sbom/issues?q=author%3Axenobytezero\" title=\"Bug reports\"\u003e🐛\u003c/a\u003e \u003ca href=\"https://github.com/janbiasi/rollup-plugin-sbom/commits?author=xenobytezero\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/DesselBane\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/12199480?v=4?s=100\" width=\"100px;\" alt=\"DesselBane\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eDesselBane\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/janbiasi/rollup-plugin-sbom/issues?q=author%3ADesselBane\" title=\"Bug reports\"\u003e🐛\u003c/a\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\n## Sponsors\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://sgkb.ch\"\u003e\n    \u003cimg src=\"docs/sponsors/stgallerkb.png\" width=\"250px\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n## License\n\nThe plugin is licensed under [MIT License](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanbiasi%2Frollup-plugin-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjanbiasi%2Frollup-plugin-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanbiasi%2Frollup-plugin-sbom/lists"}