Include parent component (#5)

prabhu · web-flow · commit bfd92ef8109a · 2026-02-01T12:51:48.000+01:00
Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@appthreat/caxa",
-  "version": "2.0.8",
+  "version": "2.0.9",
   "description": "Package Node.js applications into executable binaries",
   "author": "Team AppThreat <cloud@appthreat.com>",
   "homepage": "https://github.com/appthreat/caxa",
diff --git a/source/index.mts b/source/index.mts
@@ -187,6 +187,7 @@ export default async function caxa({
   input,
   output,
   command,
+  metadataFile = "binary-metadata.json",
   force = true,
   exclude = defaultExcludes,
   includeNode = true,
@@ -207,6 +208,7 @@ export default async function caxa({
   input: string;
   output: string;
   command: string[];
+  metadataFile: string;
   force?: boolean;
   exclude?: string[];
   filter?: fs.CopyFilterSync | fs.CopyFilterAsync;
@@ -240,16 +242,26 @@ export default async function caxa({
   interface Component {
     group: string;
     name: string;
+    description: string;
+    license: string;
     version: string;
     purl: string;
+    author: string;
     _rawDeps?: Record<string, string>;
   }
 
   interface DependencyGraphEntry {
     ref: string;
     dependsOn: string[];
   }
-
+  const parentName = path.basename(output).replace(path.extname(output), "");
+  const parentComponent = {
+    group: "",
+    name: parentName,
+    version: undefined,
+    purl: `pkg:generic/${parentName}`,
+    "bom-ref": `pkg:generic/${parentName}`,
+  };
   const components: Component[] = [];
   const purlLookup = new Map<string, string>();
   if (includeNode) {
@@ -274,14 +286,22 @@ export default async function caxa({
             purl += `${encodeURIComponent(namespace)}/`;
           }
           purl += `${name}@${pkg.version}`;
-
           purlLookup.set(pkg.name, purl);
-
+          const author = pkg.author;
+          const authorString =
+            author instanceof Object
+              ? `${author.name}${author.email ? ` <${author.email}>` : ""}${
+                  author.url ? ` (${author.url})` : ""
+                }`
+              : author;
           components.push({
             group: namespace,
             name: name,
+            description: pkg.description,
+            license: pkg.license,
             version: pkg.version,
             purl: purl,
+            author: authorString,
             _rawDeps: pkg.dependencies,
           });
         }
@@ -304,18 +324,17 @@ export default async function caxa({
       }
       delete comp._rawDeps;
     }
-
     if (childPurls.length > 0) {
       dependencies.push({
         ref: comp.purl,
         dependsOn: childPurls,
       });
     }
   }
-
   await fs.writeJson(
-    path.join(path.dirname(output), "binary-metadata.json"),
+    path.join(path.dirname(output), metadataFile),
     {
+      parentComponent,
       components,
       dependencies,
     },
@@ -510,6 +529,11 @@ if (url.fileURLToPath(import.meta.url) === (await fs.realpath(process.argv[1])))
       "-o, --output <output>",
       "Path where the executable will be produced.",
     )
+    .option(
+      "--metadata-file",
+      "Metadata file name for capturing npm components and dependencies in the bundled binary.",
+      "binary-metadata.json",
+    )
     .option("-F, --no-force", "Don’t overwrite output if it exists.")
     .option("-e, --exclude <path...>", "Paths to exclude from the build.")
     .option("-N, --no-include-node", "Don’t copy the Node.js executable.")
diff --git a/test/e2e.test.mjs b/test/e2e.test.mjs
@@ -99,6 +99,11 @@ test("caxa v2 e2e: globby exclude patterns and directories", async (t) => {
       fs.renameSync("binary-metadata.json", metadataPath);
     }
     const metadataObj = JSON.parse(fs.readFileSync(metadataPath));
+    assert.ok(metadataObj.parentComponent);
+    assert.equal(
+      metadataObj.parentComponent.purl,
+      "pkg:generic/test-output-excludes",
+    );
     assert.ok(metadataObj.components);
     assert.strictEqual(metadataObj.components[0].name, "node");
     assert.ok(metadataObj.components[0].version);

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@appthreat/caxa",`
`3`		`- "version": "2.0.8",`
	`3`	`+ "version": "2.0.9",`
`4`	`4`	`"description": "Package Node.js applications into executable binaries",`
`5`	`5`	`"author": "Team AppThreat <cloud@appthreat.com>",`
`6`	`6`	`"homepage": "https://github.com/appthreat/caxa",`