Can not run without package-lock.json

[SandZn]

Please try the package meow, which does not offer a package-lock.json file.

I got an Error after I globally installed @cyclonedx/cyclonedx-npm and ran cyclonedx-npm --omit dev --output-file newbom.json.

Error: missing package lock file or npm shrinkwrap file

[jkowalleck]

SBOM is about the components your software actually ships or bundles.
Without a lockfile or without installing, it is unclear which versions of unpinned(unlocked) dependencies are intended to be actually used. Unless NPM resolved your dependnecies it is unclear which versions were actually used.

I see your project being a library, rather than an ready-to-go application or a library with bundled dependencies. Your code has no real control over the actual components used on the end-user's side, right?
Then an SBOM might nor be a thing you would consider for your use case.

[SandZn]

Make sense.
Now I understand the lock file is necessary for your tool.
The missing lock file is not because I didn't run npm install, but because the lib's .npmrc has set package-lock : false by default.

[jkowalleck]

interesting point.

it is possible to gather all needed information without huge effort, if the lock file is missing but npm i ran previously.

if you need a feature/switch to generate an SBOM without the lockfile, but a present node_modules folder, feel free to open a request/issue for it.

[jkowalleck]

the described behavior was eventually changed:
The existence of a lock file is no longer enforced, as long as there are other evidence. (#247 via #248)