Diff two CycloneDX or SPDX SBOMs and produce human-readable change reports. Highlights added, removed, upgraded dependencies and new CVEs.
Compare two CycloneDX or SPDX SBOM files and instantly see what changed: added packages, removed packages, version upgrades, and newly introduced CVEs. Output as human-readable text, JSON, or Markdown — perfect for CI/CD gates and audit trails.
npm install @hailbytes/sbom-diff
# or use directly via npx
npx @hailbytes/sbom-diff old.json new.json# Compare two SBOMs and print a human-readable report
npx @hailbytes/sbom-diff old.json new.json
# Output as JSON
npx @hailbytes/sbom-diff old.json new.json --format json
# Output as Markdown (great for PR comments)
npx @hailbytes/sbom-diff old.json new.json --format markdownimport { diff } from '@hailbytes/sbom-diff';
const report = await diff('old.cdx.json', 'new.cdx.json');
console.log(report.added); // Component[] — newly added packages
console.log(report.removed); // Component[] — packages removed
console.log(report.upgraded); // { from: Component, to: Component }[]
console.log(report.newCVEs); // CVE[] — vulnerabilities in new packagesSecurity engineers, DevSecOps teams, and supply-chain risk analysts who need to track dependency changes between software releases, detect newly introduced CVEs, and produce auditable SBOM diff reports for compliance evidence.
@hailbytes/caiq-lite— CSA CAIQ-Lite schema and validator@hailbytes/asm-scope-parser— Attack surface scope parsing- HailBytes
Part of the HailBytes open-source security toolkit.