CycloneDX · jkowalleck · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -352,6 +352,9 @@ jobs:
       - name: run example
         run: node -- 'example.${{ matrix.js-type }}'
         working-directory: ${{ env.EXAMPLE_DIR }}
+      - name: run deprecated
+        run: node -- 'deprecated.${{ matrix.js-type }}'
+        working-directory: ${{ env.EXAMPLE_DIR }}
 
   example-TS:
     needs: [ 'build' ]

@@ -6,6 +6,17 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Fixed
+  * Type declarations for deprecated symbols support usage as types ([#1350] via [#1351])
+* Refactor
+  * Deprecated symbols turned from re-exports into re-declares (via [#1351])  
+    Note: this change adds runtime overhead for the sake of documentation.
+
+[#1350]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1350
+[#1351]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1351
+
+## 9.4.0 -- 2025-12-02
+
 * Added
   * New entry points for `/Contrib` and known submodules (via [#1343])  
     See `package.json::exports` for details.

@@ -2,5 +2,8 @@
 !/.gitignore
 !/example.mjs
 !/example.cjs
+!/deprecated.cjs
+!/deprecated.mjs
 !/package.json
+!/jsconfig.json
 !/.npmrc
@@ -0,0 +1,57 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Example showcasing the deprecated symbols still work.
+ * @see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1350
+ */
+
+const fs = require('node:fs')
+const path = require('node:path')
+
+const CDX = require('@cyclonedx/cyclonedx-library')
+// full Library is available as `CDX`, now
+
+const dBU1 = CDX.Utils.BomUtility.randomSerialNumber()
+console.log(dBU1)
+
+const dNU1 = CDX.Utils.NpmjsUtility.defaultRegistryMatcher.test('foo')
+const dNU2 = CDX.Utils.NpmjsUtility.parsePackageIntegrity('sha1-aSbRsZT7xze47tUTdW3i/Np+pAg=')
+console.log(dNU1, dNU2)
+
+const dLU1 = new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer({fs, path})
+console.log(dLU1)
+
+/** @type {CDX.Types.NodePackageJson} */
+const dTnpj1 = {}
+// const dTnpj2 =CDX.Types.isNodePackageJson(dTnpj1)
+try { CDX.Types.assertNodePackageJson(dTnpj1) } catch { /* pass */ }
+console.log(dTnpj1)
+
+const dF1 = new CDX.Factories.PackageUrlFactory('generic')
+const dF2 = new CDX.Factories.LicenseFactory()
+console.log(dF1, dF2)
+
+const dFnpj3 = new CDX.Factories.FromNodePackageJson.PackageUrlFactory('npm')
+const dFnpj4  = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
+console.log(dFnpj3, dFnpj4)
+
+const dBnpj1 = new CDX.Builders.FromNodePackageJson.ComponentBuilder(dFnpj4, dF2)
+const dBnpj2 = new CDX.Builders.FromNodePackageJson.ToolBuilder(dFnpj4)
+console.log(dBnpj1, dBnpj2)
@@ -0,0 +1,57 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Example showcasing the deprecated symbols still work.
+ * @see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1350
+ */
+
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+
+import * as CDX from '@cyclonedx/cyclonedx-library'
+// full Library is available as `CDX`, now
+
+const dBU1 = CDX.Utils.BomUtility.randomSerialNumber()
+console.log(dBU1)
+
+const dNU1 = CDX.Utils.NpmjsUtility.defaultRegistryMatcher.test('foo')
+const dNU2 = CDX.Utils.NpmjsUtility.parsePackageIntegrity('sha1-aSbRsZT7xze47tUTdW3i/Np+pAg=')
+console.log(dNU1, dNU2)
+
+const dLU1 = new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer({fs, path})
+console.log(dLU1)
+
+/** @type {CDX.Types.NodePackageJson} */
+const dTnpj1 = {}
+// const dTnpj2 =CDX.Types.isNodePackageJson(dTnpj1)
+try { CDX.Types.assertNodePackageJson(dTnpj1) } catch { /* pass */ }
+console.log(dTnpj1)
+
+const dF1 = new CDX.Factories.PackageUrlFactory('generic')
+const dF2 = new CDX.Factories.LicenseFactory()
+console.log(dF1, dF2)
+
+const dFnpj3 = new CDX.Factories.FromNodePackageJson.PackageUrlFactory('npm')
+const dFnpj4  = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
+console.log(dFnpj3, dFnpj4)
+
+const dBnpj1 = new CDX.Builders.FromNodePackageJson.ComponentBuilder(dFnpj4, dF2)
+const dBnpj2 = new CDX.Builders.FromNodePackageJson.ToolBuilder(dFnpj4)
+console.log(dBnpj1, dBnpj2)
@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "checkJs": true,
+    "target": "ESNext",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "types": ["node"],
+    "lib": ["esnext"],
+    "strict": true
+  },
+  "exclude": ["node_modules"]
+}
@@ -2,17 +2,21 @@
   "private": true,
   "name": "@cyclonedx/cyclonedx-library-examples-node-javascript",
   "license": "Apache-2.0",
+  "type": "module",
   "engines": {
     "node": ">=20.18.0"
   },
   "dependencies": {
-    "@cyclonedx/cyclonedx-library": "../../..",
+    "@cyclonedx/cyclonedx-library": "file:../../..",
     "xmlbuilder2": "^3.0.2||^4.0.0"
   },
   "optionalDependencies": {
     "ajv": "^8.12.0",
     "ajv-formats": "^3.0.1",
     "ajv-formats-draft2019": "^1.6.1",
     "libxmljs2": "^0.35||^0.37"
+  },
+  "devDependencies": {
+    "@types/node": ">=20.18.0"
   }
 }
@@ -23,6 +23,6 @@
   "scripts": {
     "prebuild": "tsc -b --clean",
     "build": "tsc -b",
-    "example": "node dist/example.js"
+    "example": "node dist/example.js && node dist/deprecated.js"
   }
 }
@@ -0,0 +1,65 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Example showcasing the deprecated symbols still work.
+ * @see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1350
+ */
+
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+
+import * as CDX from '@cyclonedx/cyclonedx-library'
+// full Library is available as `CDX`, now
+
+const dBU1 = CDX.Utils.BomUtility.randomSerialNumber()
+console.log(dBU1)
+
+const dNU1 = CDX.Utils.NpmjsUtility.defaultRegistryMatcher.test('foo')
+const dNU2 = CDX.Utils.NpmjsUtility.parsePackageIntegrity('sha1-aSbRsZT7xze47tUTdW3i/Np+pAg=')
+console.log(dNU1, dNU2)
+
+type dLU1_T = CDX.Utils.LicenseUtility.LicenseEvidenceGatherer
+const fsU: CDX.Utils.LicenseUtility.FsUtils<string> = fs
+const pathU: CDX.Utils.LicenseUtility.PathUtils<string> = path
+const dLU1: dLU1_T = new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer({fs: fsU, path: pathU})
+console.log(dLU1)
+
+const dTnpj1: CDX.Types.NodePackageJson = {}
+// const dTnpj2 =CDX.Types.isNodePackageJson(dTnpj1)
+try { CDX.Types.assertNodePackageJson(dTnpj1) } catch { /* pass */ }
+console.log(dTnpj1)
+
+type dF1_T = CDX.Factories.PackageUrlFactory
+type dF2_T = CDX.Factories.LicenseFactory
+const dF1: dF1_T = new CDX.Factories.PackageUrlFactory('generic')
+const dF2: dF2_T = new CDX.Factories.LicenseFactory()
+console.log(dF1, dF2)
+
+type dFnpj3_T = CDX.Factories.FromNodePackageJson.PackageUrlFactory
+const dFnpj3: dFnpj3_T = new CDX.Factories.FromNodePackageJson.PackageUrlFactory('npm')
+type dFnpj4_T = CDX.Factories.FromNodePackageJson.ExternalReferenceFactory
+const dFnpj4: dFnpj4_T  = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
+console.log(dFnpj3, dFnpj4)
+
+type dBnpj1_T = CDX.Builders.FromNodePackageJson.ComponentBuilder
+const dBnpj1: dBnpj1_T = new CDX.Builders.FromNodePackageJson.ComponentBuilder(dFnpj4, dF2)
+type dBnpj2_T = CDX.Builders.FromNodePackageJson.ToolBuilder
+const dBnpj2: dBnpj2_T = new CDX.Builders.FromNodePackageJson.ToolBuilder(dFnpj4)
+console.log(dBnpj1, dBnpj2)
@@ -3,13 +3,14 @@
   "compilerOptions": {
     "target": "ES2016",
     "module": "CommonJS",
+    "moduleResolution": "node",
+    "types": ["node"],
+    "lib": ["esnext"],
+    "sourceMap": true,
     "outDir": "./dist",
     "strict": true,
     "forceConsistentCasingInFileNames": true,
     "disableSourceOfProjectReferenceRedirect": false,
     "rootDir": "src"
-  },
-  "files": [
-    "./src/example.ts"
-  ]
+  }
 }
@@ -23,6 +23,6 @@
   "scripts": {
     "prebuild": "tsc -b --clean",
     "build": "tsc -b",
-    "example": "node dist/example.js"
+    "example": "node dist/example.js && node dist/deprecated.js"
   }
 }
@@ -0,0 +1,65 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Example showcasing the deprecated symbols still work.
+ * @see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1350
+ */
+
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+
+import * as CDX from '@cyclonedx/cyclonedx-library'
+// full Library is available as `CDX`, now
+
+const dBU1 = CDX.Utils.BomUtility.randomSerialNumber()
+console.log(dBU1)
+
+const dNU1 = CDX.Utils.NpmjsUtility.defaultRegistryMatcher.test('foo')
+const dNU2 = CDX.Utils.NpmjsUtility.parsePackageIntegrity('sha1-aSbRsZT7xze47tUTdW3i/Np+pAg=')
+console.log(dNU1, dNU2)
+
+type dLU1_T = CDX.Utils.LicenseUtility.LicenseEvidenceGatherer
+const fsU: CDX.Utils.LicenseUtility.FsUtils<string> = fs
+const pathU: CDX.Utils.LicenseUtility.PathUtils<string> = path
+const dLU1: dLU1_T = new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer({fs: fsU, path: pathU})
+console.log(dLU1)
+
+const dTnpj1: CDX.Types.NodePackageJson = {}
+// const dTnpj2 =CDX.Types.isNodePackageJson(dTnpj1)
+try { CDX.Types.assertNodePackageJson(dTnpj1) } catch { /* pass */ }
+console.log(dTnpj1)
+
+type dF1_T = CDX.Factories.PackageUrlFactory
+type dF2_T = CDX.Factories.LicenseFactory
+const dF1: dF1_T = new CDX.Factories.PackageUrlFactory('generic')
+const dF2: dF2_T = new CDX.Factories.LicenseFactory()
+console.log(dF1, dF2)
+
+type dFnpj3_T = CDX.Factories.FromNodePackageJson.PackageUrlFactory
+const dFnpj3: dFnpj3_T = new CDX.Factories.FromNodePackageJson.PackageUrlFactory('npm')
+type dFnpj4_T = CDX.Factories.FromNodePackageJson.ExternalReferenceFactory
+const dFnpj4: dFnpj4_T  = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
+console.log(dFnpj3, dFnpj4)
+
+type dBnpj1_T = CDX.Builders.FromNodePackageJson.ComponentBuilder
+const dBnpj1: dBnpj1_T = new CDX.Builders.FromNodePackageJson.ComponentBuilder(dFnpj4, dF2)
+type dBnpj2_T = CDX.Builders.FromNodePackageJson.ToolBuilder
+const dBnpj2: dBnpj2_T = new CDX.Builders.FromNodePackageJson.ToolBuilder(dFnpj4)
+console.log(dBnpj1, dBnpj2)
@@ -3,13 +3,13 @@
   "compilerOptions": {
     "target": "ES2021",
     "module": "Node16",
+    "types": ["node"],
+    "lib": ["esnext"],
+    "sourceMap": true,
     "outDir": "./dist",
     "strict": true,
     "forceConsistentCasingInFileNames": true,
     "disableSourceOfProjectReferenceRedirect": false,
     "rootDir": "src"
-  },
-  "files": [
-    "./src/example.ts"
-  ]
+  }
 }
@@ -137,9 +137,11 @@
     ".": {
       "types": {
         "browser": "./dist.d/index.web.d.ts",
+        "node": "./dist.d/index.node.d.ts",
         "default": "./dist.d/index.node.d.ts"
       },
       "browser": "./dist.web/lib.js",
+      "node": "./dist.node/index.node.js",
       "default": "./dist.node/index.node.js"
     },
     "./package.json": "./package.json",