Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The generated CycloneDX SBOM may not be able to be parsed by tools, as it generates duplicate dependencies.

Expected Behavior

A CycloneDX v1.5 SBOM generated from a repository can be parsed correctly.

Steps To Reproduce

1. Clone https://gitlab.com/tanna.dev/renovate-graph
2. Run npm sbom --sbom-format cyclonedx > cyclonedx.json
3. Run through an Cyclone validator i.e. go run github.com/CycloneDX/sbom-utility@latest validate --input-file cyclonedx.json

renovate-graph.cyclonedx.json

Environment

• npm: 10.2.3
• Node.js: v18.17.1
• OS Name: Linux
• System Model Name:
• npm config:

; "user" config from /home/jamie/.npmrc //registry.npmjs.org/:_authToken = (protected) ; node bin location = /usr/bin/node ; node version = v18.17.1 ; npm local prefix = /home/jamie/workspaces/renovate-graph ; npm version = 10.2.3 ; cwd = /home/jamie/workspaces/renovate-graph ; HOME = /home/jamie ; Run `npm config ls -l` to show all defaults.