From ec0636df6687244ca1537bb976f83279d1915497 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 16 Jun 2026 03:04:42 +0000
Subject: [PATCH] docs: fix broken programmatic example in README

The README's programmatic snippet did not match the actual public API:
- diff() is synchronous and takes two parsed SBOM objects, not file
  paths, and is not async (the example used await diff('old.json', ...)).
- report.upgraded is VersionChange[] ({ component, from, to, isMajorBump }),
  not { from: Component, to: Component }[].
- newCVEs is CVEEntry[], not CVE[].

Copying the old snippet produced code that would not compile or run.
Update it to parse() files first, drop the await, correct the result
types, and show renderReport() for ready-made output.
---
 README.md | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 837611a..6fe9bef 100644
--- a/README.md
+++ b/README.md
@@ -44,14 +44,23 @@ npx @hailbytes/sbom-diff old.json new.json --format markdown
 
 ### Programmatic
 ```ts
-import { diff } from '@hailbytes/sbom-diff';
+import { readFile } from 'node:fs/promises';
+import { parse, diff, renderReport } from '@hailbytes/sbom-diff';
 
-const report = await diff('old.cdx.json', 'new.cdx.json');
+// parse() accepts a JSON string (or already-parsed object) and auto-detects
+// the CycloneDX/SPDX format. diff() compares two parsed SBOMs synchronously.
+const oldSBOM = parse(await readFile('old.cdx.json', 'utf-8'));
+const newSBOM = parse(await readFile('new.cdx.json', 'utf-8'));
 
-console.log(report.added);    // Component[] — newly added packages
-console.log(report.removed);  // Component[] — packages removed
-console.log(report.upgraded); // { from: Component, to: Component }[]
-console.log(report.newCVEs);  // CVE[] — vulnerabilities in new packages
+const report = diff(oldSBOM, newSBOM);
+
+console.log(report.added);    // Component[]     — newly added packages
+console.log(report.removed);  // Component[]     — packages removed
+console.log(report.upgraded); // VersionChange[] — { component, from, to, isMajorBump }
+console.log(report.newCVEs);  // CVEEntry[]      — vulnerabilities new in the latest SBOM
+
+// Or render a ready-made report in text, JSON, or markdown:
+console.log(renderReport(report, 'markdown'));
 ```
 
 ---