| ▲ | matharmin 3 hours ago | ||||||||||||||||
SBOM may contain similar info to lockfiles, but the purposes are entirely different. Lockfiles tells the package manager what to install. SBOM tells the user what your _built_ project contains. In some cases it could be the same, but in most cases it's not. It's more complicated than just annotating which dependencies are development versus production dependencies. You may be installing dependencies, but not actually use them in the build (for example optional transitive dependencies). Some build tools can detect this and omit them from the SBOM, but you can't omit these from your lockfile. Fundamentally, lockfiles are an input to your developement setup process, while SBOM is an output of the build process. Now, there is still an argument that you can use the same _format_ for both. But there are no significant advantages to that: The SBOM is more verbose, does not diff will, will result in worse performance. | |||||||||||||||||
| ▲ | sunnyday_002 an hour ago | parent [-] | ||||||||||||||||
So the lockfile is a superset, but never a subset? So it basically is an SBOM then but just sometimes has extra dependencies? | |||||||||||||||||
| |||||||||||||||||