SBOM
Slide Spec publishes a Software Bill of Materials in CycloneDX JSON format for each tagged release produced by the release workflow.
What to expect
The release workflow attaches sbom.cyclonedx.json to the corresponding GitHub Release along with the source tarball.
You can find the latest published release assets here:
Format
The SBOM is generated in CycloneDX JSON format during CI. It is intended to be a machine-readable inventory of the release contents published from this repository.
What it is for
The SBOM gives consumers a better way to inspect what was published without unpacking the release by hand. It is most useful when paired with the release notes, source tarball, and provenance generated by npm trusted publishing.
Notes for maintainers
- The SBOM is attached to tagged releases created by the current workflow.
- Stable and prerelease releases both attach the SBOM.
- The release notes preface should reference the attached SBOM alongside the source tarball and npm package.
- If the release process changes, keep this page and Supply Chain in sync with the workflow.