diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json
index 28c2c66f3c..4da48aa97e 100644
--- a/sbom/cve-bin-tool-py3.9.json
+++ b/sbom/cve-bin-tool-py3.9.json
@@ -2,10 +2,10 @@
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
- "serialNumber": "urn:uuid:fdb15b49-58c7-4c62-a1cb-46d6cd2a889e",
+ "serialNumber": "urn:uuid:2278ff02-df95-4250-9c24-c3d5f85e23fa",
"version": 1,
"metadata": {
- "timestamp": "2025-05-19T00:44:32Z",
+ "timestamp": "2025-05-26T00:41:49Z",
"lifecycles": [
{
"phase": "build"
@@ -89,14 +89,8 @@
"type": "library",
"bom-ref": "2-aiohttp",
"name": "aiohttp",
- "version": "3.11.18",
+ "version": "3.12.0",
"description": "Async http client/server framework (asyncio)",
- "hashes": [
- {
- "alg": "SHA-256",
- "content": "96264854fedbea933a9ca4b7e0c745728f01380691687b7365d18d9e977179c4"
- }
- ],
"licenses": [
{
"license": {
@@ -113,7 +107,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/aiohttp/3.11.18/#files",
+ "url": "https://pypi.org/project/aiohttp/3.12.0/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -150,11 +144,11 @@
"type": "vcs"
}
],
- "purl": "pkg:pypi/aiohttp@3.11.18",
+ "purl": "pkg:pypi/aiohttp@3.12.0",
"properties": [
{
"name": "release_date",
- "value": "2025-04-21T09:40:25Z"
+ "value": "2024-09-17T18:57:44Z"
},
{
"name": "language",
@@ -547,7 +541,7 @@
"type": "library",
"bom-ref": "8-multidict",
"name": "multidict",
- "version": "6.4.3",
+ "version": "6.4.4",
"supplier": {
"name": "Andrew Svetlov",
"contact": [
@@ -556,12 +550,12 @@
}
]
},
- "cpe": "cpe:2.3:a:andrew_svetlov:multidict:6.4.3:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:andrew_svetlov:multidict:6.4.4:*:*:*:*:*:*:*",
"description": "multidict implementation",
"hashes": [
{
"alg": "SHA-256",
- "content": "32a998bd8a64ca48616eac5a8c1cc4fa38fb244a3facf2eeb14abe186e0f6cc5"
+ "content": "8adee3ac041145ffe4488ea73fa0a622b464cc25340d98be76924d0cda8545ff"
}
],
"licenses": [
@@ -580,7 +574,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/multidict/6.4.3/#files",
+ "url": "https://pypi.org/project/multidict/6.4.4/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -621,11 +615,11 @@
"type": "vcs"
}
],
- "purl": "pkg:pypi/multidict@6.4.3",
+ "purl": "pkg:pypi/multidict@6.4.4",
"properties": [
{
"name": "release_date",
- "value": "2025-04-10T22:17:32Z"
+ "value": "2025-05-19T14:13:49Z"
},
{
"name": "language",
@@ -3417,7 +3411,7 @@
"type": "library",
"bom-ref": "51-rpds-py",
"name": "rpds-py",
- "version": "0.25.0",
+ "version": "0.25.1",
"supplier": {
"name": "Julian Berman",
"contact": [
@@ -3426,12 +3420,12 @@
}
]
},
- "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.25.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:julian_berman:rpds-py:0.25.1:*:*:*:*:*:*:*",
"description": "Python bindings to Rust's persistent data structures (rpds)",
"hashes": [
{
"alg": "SHA-256",
- "content": "c146a24a8f0dc4a7846fb4640b88b3a68986585b8ce8397af15e66b7c5817439"
+ "content": "f4ad628b5174d5315761b67f212774a32f5bad5e61396d38108bd801c0a8f5d9"
}
],
"licenses": [
@@ -3450,7 +3444,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/rpds-py/0.25.0/#files",
+ "url": "https://pypi.org/project/rpds-py/0.25.1/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -3479,11 +3473,11 @@
"type": "other"
}
],
- "purl": "pkg:pypi/rpds-py@0.25.0",
+ "purl": "pkg:pypi/rpds-py@0.25.1",
"properties": [
{
"name": "release_date",
- "value": "2025-05-15T13:38:11Z"
+ "value": "2025-05-21T12:42:38Z"
},
{
"name": "language",
@@ -4191,7 +4185,7 @@
"type": "library",
"bom-ref": "63-plotly",
"name": "plotly",
- "version": "6.1.0",
+ "version": "6.1.1",
"supplier": {
"name": "Chris P",
"contact": [
@@ -4200,12 +4194,12 @@
}
]
},
- "cpe": "cpe:2.3:a:chris_p:plotly:6.1.0:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:chris_p:plotly:6.1.1:*:*:*:*:*:*:*",
"description": "An open-source interactive data visualization library for Python",
"hashes": [
{
"alg": "SHA-256",
- "content": "a29d3ed523c9d7960095693af1ee52689830df0f9c6bae3e5e92c20c4f5684c3"
+ "content": "9cca7167406ebf7ff541422738402159ec3621a608ff7b3e2f025573a1c76225"
}
],
"externalReferences": [
@@ -4215,7 +4209,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/plotly/6.1.0/#files",
+ "url": "https://pypi.org/project/plotly/6.1.1/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -4232,11 +4226,11 @@
"type": "log"
}
],
- "purl": "pkg:pypi/plotly@6.1.0",
+ "purl": "pkg:pypi/plotly@6.1.1",
"properties": [
{
"name": "release_date",
- "value": "2025-05-15T16:04:30Z"
+ "value": "2025-05-20T20:09:26Z"
},
{
"name": "language",
@@ -4256,21 +4250,21 @@
"type": "library",
"bom-ref": "64-narwhals",
"name": "narwhals",
- "version": "1.39.1",
+ "version": "1.40.0",
"supplier": {
"name": "Marco Gorelli",
"contact": [
{
- "email": "33491632+MarcoGorelli@users.noreply.github.com"
+ "email": "hello_narwhals@proton.me"
}
]
},
- "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.39.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:marco_gorelli:narwhals:1.40.0:*:*:*:*:*:*:*",
"description": "Extremely lightweight compatibility layer between dataframe libraries",
"hashes": [
{
"alg": "SHA-256",
- "content": "68d0f29c760f1a9419ada537f35f21ff202b0be1419e6d22135a0352c6d96deb"
+ "content": "1e6c731811d01c61147c52433b4d4edfb6511aaf2c859aa01c2e8ca6ff4d27e5"
}
],
"licenses": [
@@ -4289,7 +4283,7 @@
"comment": "Home page for project"
},
{
- "url": "https://pypi.org/project/narwhals/1.39.1/#files",
+ "url": "https://pypi.org/project/narwhals/1.40.0/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -4306,11 +4300,11 @@
"type": "issue-tracker"
}
],
- "purl": "pkg:pypi/narwhals@1.39.1",
+ "purl": "pkg:pypi/narwhals@1.40.0",
"properties": [
{
"name": "release_date",
- "value": "2025-05-15T17:45:07Z"
+ "value": "2025-05-19T07:44:10Z"
},
{
"name": "language",
@@ -4719,7 +4713,7 @@
"type": "library",
"bom-ref": "71-setuptools",
"name": "setuptools",
- "version": "80.7.1",
+ "version": "80.8.0",
"supplier": {
"name": "Python Packaging Authority",
"contact": [
@@ -4728,11 +4722,17 @@
}
]
},
- "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:80.7.1:*:*:*:*:*:*:*",
+ "cpe": "cpe:2.3:a:python_packaging_authority:setuptools:80.8.0:*:*:*:*:*:*:*",
"description": "Easily download, build, install, upgrade, and uninstall Python packages",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "95a60484590d24103af13b686121328cc2736bee85de8936383111e421b9edc0"
+ }
+ ],
"externalReferences": [
{
- "url": "https://pypi.org/project/setuptools/80.7.1/#files",
+ "url": "https://pypi.org/project/setuptools/80.8.0/#files",
"type": "distribution",
"comment": "Download location for component"
},
@@ -4749,11 +4749,11 @@
"type": "log"
}
],
- "purl": "pkg:pypi/setuptools@80.7.1",
+ "purl": "pkg:pypi/setuptools@80.8.0",
"properties": [
{
"name": "release_date",
- "value": "2024-07-24T21:57:45Z"
+ "value": "2025-05-20T14:02:51Z"
},
{
"name": "language",
diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx
index fb6a2b7aee..fdd13e4f61 100644
--- a/sbom/cve-bin-tool-py3.9.spdx
+++ b/sbom/cve-bin-tool-py3.9.spdx
@@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-cve-bin-tool
-DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-7b168414-26b4-40dd-967f-70cf4f602412
+DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-6e9f347c-1d0c-4d20-9209-80d002408ecb
LicenseListVersion: 3.25
Creator: Tool: sbom4python-0.12.3
-Created: 2025-05-19T00:44:21Z
+Created: 2025-05-26T00:41:41Z
CreatorComment: SBOM Type: Build - This document has been automatically generated.
#####
@@ -29,18 +29,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:terri_oda:cve-bin-tool:3.4:*:*:*:*:*:*
PackageName: aiohttp
SPDXID: SPDXRef-2-aiohttp
-PackageVersion: 3.11.18
+PackageVersion: 3.12.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: NOASSERTION
-PackageDownloadLocation: https://pypi.org/project/aiohttp/3.11.18/#files
+PackageDownloadLocation: https://pypi.org/project/aiohttp/3.12.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/aio-libs/aiohttp
-PackageChecksum: SHA256: 96264854fedbea933a9ca4b7e0c745728f01380691687b7365d18d9e977179c4
PackageLicenseDeclared: Apache-2.0
PackageLicenseConcluded: Apache-2.0
PackageCopyrightText: NOASSERTION
PackageSummary: Async http client/server framework (asyncio)
-ReleaseDate: 2025-04-21T09:40:25Z
+ReleaseDate: 2024-09-17T18:57:44Z
ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org
ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org
ExternalRef: OTHER build-system https://github.com/aio-libs/aiohttp/actions?query=workflow%3ACI
@@ -49,7 +48,7 @@ ExternalRef: OTHER log https://docs.aiohttp.org/en/stable/changes.html
ExternalRef: OTHER other https://docs.aiohttp.org
ExternalRef: OTHER issue-tracker https://github.com/aio-libs/aiohttp/issues
ExternalRef: OTHER vcs https://github.com/aio-libs/aiohttp
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.11.18
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/aiohttp@3.12.0
#####
PackageName: aiohappyeyeballs
@@ -171,19 +170,19 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:hynek_schlawack:attrs:25.3.0:*:*:*:*:*
PackageName: multidict
SPDXID: SPDXRef-8-multidict
-PackageVersion: 6.4.3
+PackageVersion: 6.4.4
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Andrew Svetlov (andrew.svetlov@gmail.com)
-PackageDownloadLocation: https://pypi.org/project/multidict/6.4.3/#files
+PackageDownloadLocation: https://pypi.org/project/multidict/6.4.4/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/aio-libs/multidict
-PackageChecksum: SHA256: 32a998bd8a64ca48616eac5a8c1cc4fa38fb244a3facf2eeb14abe186e0f6cc5
+PackageChecksum: SHA256: 8adee3ac041145ffe4488ea73fa0a622b464cc25340d98be76924d0cda8545ff
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseComments: multidict declares Apache 2 which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: multidict implementation
-ReleaseDate: 2025-04-10T22:17:32Z
+ReleaseDate: 2025-05-19T14:13:49Z
ExternalRef: OTHER other https://matrix.to/#/#aio-libs:matrix.org
ExternalRef: OTHER other https://matrix.to/#/#aio-libs-space:matrix.org
ExternalRef: OTHER build-system https://github.com/aio-libs/multidict/actions
@@ -193,8 +192,8 @@ ExternalRef: OTHER log https://multidict.aio-libs.org/en/latest/changes/
ExternalRef: OTHER other https://multidict.aio-libs.org
ExternalRef: OTHER issue-tracker https://github.com/aio-libs/multidict/issues
ExternalRef: OTHER vcs https://github.com/aio-libs/multidict
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/multidict@6.4.3
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.4.3:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/multidict@6.4.4
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:multidict:6.4.4:*:*:*:*:*:*:*
#####
PackageName: typing-extensions
@@ -1082,26 +1081,26 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:referencing:0.36.2:*:*:*
PackageName: rpds-py
SPDXID: SPDXRef-51-rpds-py
-PackageVersion: 0.25.0
+PackageVersion: 0.25.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Julian Berman (Julian+rpds@GrayVines.com)
-PackageDownloadLocation: https://pypi.org/project/rpds-py/0.25.0/#files
+PackageDownloadLocation: https://pypi.org/project/rpds-py/0.25.1/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/crate-py/rpds
-PackageChecksum: SHA256: c146a24a8f0dc4a7846fb4640b88b3a68986585b8ce8397af15e66b7c5817439
+PackageChecksum: SHA256: f4ad628b5174d5315761b67f212774a32f5bad5e61396d38108bd801c0a8f5d9
PackageLicenseDeclared: MIT
PackageLicenseConcluded: MIT
PackageCopyrightText: NOASSERTION
PackageSummary: Python bindings to Rust's persistent data structures (rpds)
-ReleaseDate: 2025-05-15T13:38:11Z
+ReleaseDate: 2025-05-21T12:42:38Z
ExternalRef: OTHER documentation https://rpds.readthedocs.io/
ExternalRef: OTHER issue-tracker https://github.com/crate-py/rpds/issues/
ExternalRef: OTHER other https://github.com/sponsors/Julian
ExternalRef: OTHER other https://tidelift.com/subscription/pkg/pypi-rpds-py?utm_source=pypi-rpds-py&utm_medium=referral&utm_campaign=pypi-link
ExternalRef: OTHER vcs https://github.com/crate-py/rpds
ExternalRef: OTHER other https://github.com/orium/rpds
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.25.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.25.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/rpds-py@0.25.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.25.1:*:*:*:*:*:*:*
#####
PackageName: lib4sbom
@@ -1320,13 +1319,13 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft:packaging:25.0:*:*:*:*:*
PackageName: plotly
SPDXID: SPDXRef-63-plotly
-PackageVersion: 6.1.0
+PackageVersion: 6.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Chris P (chris@plot.ly)
-PackageDownloadLocation: https://pypi.org/project/plotly/6.1.0/#files
+PackageDownloadLocation: https://pypi.org/project/plotly/6.1.1/#files
FilesAnalyzed: false
PackageHomePage: https://plotly.com/python/
-PackageChecksum: SHA256: a29d3ed523c9d7960095693af1ee52689830df0f9c6bae3e5e92c20c4f5684c3
+PackageChecksum: SHA256: 9cca7167406ebf7ff541422738402159ec3621a608ff7b3e2f025573a1c76225
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseComments: plotly declares MIT License
@@ -1353,34 +1352,34 @@ THE SOFTWARE.
which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: An open-source interactive data visualization library for Python
-ReleaseDate: 2025-05-15T16:04:30Z
+ReleaseDate: 2025-05-20T20:09:26Z
ExternalRef: OTHER documentation https://plotly.com/python/
ExternalRef: OTHER vcs https://github.com/plotly/plotly.py
ExternalRef: OTHER log https://github.com/plotly/plotly.py/blob/main/CHANGELOG.md
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@6.1.0
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.1.0:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@6.1.1
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:6.1.1:*:*:*:*:*:*:*
#####
PackageName: narwhals
SPDXID: SPDXRef-64-narwhals
-PackageVersion: 1.39.1
+PackageVersion: 1.40.0
PrimaryPackagePurpose: LIBRARY
-PackageSupplier: Person: Marco Gorelli (33491632+MarcoGorelli@users.noreply.github.com)
-PackageDownloadLocation: https://pypi.org/project/narwhals/1.39.1/#files
+PackageSupplier: Person: Marco Gorelli (hello_narwhals@proton.me)
+PackageDownloadLocation: https://pypi.org/project/narwhals/1.40.0/#files
FilesAnalyzed: false
PackageHomePage: https://github.com/narwhals-dev/narwhals
-PackageChecksum: SHA256: 68d0f29c760f1a9419ada537f35f21ff202b0be1419e6d22135a0352c6d96deb
+PackageChecksum: SHA256: 1e6c731811d01c61147c52433b4d4edfb6511aaf2c859aa01c2e8ca6ff4d27e5
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: MIT
PackageLicenseComments: narwhals declares MIT License which is not currently a valid SPDX License identifier or expression.
PackageCopyrightText: NOASSERTION
PackageSummary: Extremely lightweight compatibility layer between dataframe libraries
-ReleaseDate: 2025-05-15T17:45:07Z
+ReleaseDate: 2025-05-19T07:44:10Z
ExternalRef: OTHER documentation https://narwhals-dev.github.io/narwhals/
ExternalRef: OTHER vcs https://github.com/narwhals-dev/narwhals
ExternalRef: OTHER issue-tracker https://github.com/narwhals-dev/narwhals/issues
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.39.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.39.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/narwhals@1.40.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:marco_gorelli:narwhals:1.40.0:*:*:*:*:*:*:*
#####
PackageName: python-gnupg
@@ -1506,21 +1505,22 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:sean_ross:rpmfile:2.1.0:*:*:*:*:*:*:*
PackageName: setuptools
SPDXID: SPDXRef-71-setuptools
-PackageVersion: 80.7.1
+PackageVersion: 80.8.0
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Organization: Python Packaging Authority (distutils-sig@python.org)
-PackageDownloadLocation: https://pypi.org/project/setuptools/80.7.1/#files
+PackageDownloadLocation: https://pypi.org/project/setuptools/80.8.0/#files
FilesAnalyzed: false
+PackageChecksum: SHA256: 95a60484590d24103af13b686121328cc2736bee85de8936383111e421b9edc0
PackageLicenseDeclared: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSummary: Easily download, build, install, upgrade, and uninstall Python packages
-ReleaseDate: 2024-07-24T21:57:45Z
+ReleaseDate: 2025-05-20T14:02:51Z
ExternalRef: OTHER vcs https://github.com/pypa/setuptools
ExternalRef: OTHER documentation https://setuptools.pypa.io/
ExternalRef: OTHER log https://setuptools.pypa.io/en/stable/history.html
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/setuptools@80.7.1
-ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:80.7.1:*:*:*:*:*:*:*
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/setuptools@80.8.0
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:python_packaging_authority:setuptools:80.8.0:*:*:*:*:*:*:*
#####
PackageName: toml