fix: use @npmcli/package-json to normalize package data

wraithgar · wraithgar · commit 79e3c1eff776 · 2025-09-25T13:38:26.000-07:00
diff --git a/lib/utils/sbom-cyclonedx.js b/lib/utils/sbom-cyclonedx.js
@@ -1,6 +1,6 @@
 const crypto = require('node:crypto')
-const normalizeData = require('normalize-package-data')
 const parseLicense = require('spdx-expression-parse')
+const PackageJson = require('@npmcli/package-json')
 const npa = require('npm-package-arg')
 const ssri = require('ssri')
 
@@ -79,7 +79,9 @@ const toCyclonedxItem = (node, { packageType }) => {
   const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
 
   if (node.package) {
-    normalizeData(node.package)
+    const toNormalize = new PackageJson()
+    toNormalize.fromContent(node.package).normalize({ steps: ['normalizeData'] })
+    node.package = toNormalize.content
   }
 
   let parsedLicense
diff --git a/lib/utils/sbom-spdx.js b/lib/utils/sbom-spdx.js
@@ -1,6 +1,6 @@
 
 const crypto = require('node:crypto')
-const normalizeData = require('normalize-package-data')
+const PackageJson = require('@npmcli/package-json')
 const npa = require('npm-package-arg')
 const ssri = require('ssri')
 
@@ -90,7 +90,9 @@ const spdxOutput = ({ npm, nodes, packageType }) => {
 }
 
 const toSpdxItem = (node, { packageType }) => {
-  normalizeData(node.package)
+  const toNormalize = new PackageJson()
+  toNormalize.fromContent(node.package).normalize({ steps: ['normalizeData'] })
+  node.package = toNormalize.content
 
   // Calculate purl from package spec
   let spec = npa(node.pkgid)
