Summary

CONTRIBUTING.md currently turns away the very contributions this project is soliciting. It states the package is "in incubation", "not yet open for external contributions", and asks readers to "check back after the package is published to npm."

All three claims are inaccurate:

• It is published. @hailbytes/sbom-diff resolves on the npm registry with 1.0.1 as the latest dist-tag (the README badges advertise the same).
• It is actively accepting contributions. Recent merged PRs (fix(cli): correct --format parsing so the default invocation works #13, fix(parser): report highest CVE severity across all CycloneDX ratings #16, docs: fix broken programmatic example in README #17) plus a large set of open PRs/issues show contributions are flowing in continuously.
• It is past "incubation." A 1.x release line is live.

The result is a contributor guide whose only message is "go away, come back later" — a direct conversion-killer for an open-source security tool that, per the README, is "Part of the HailBytes open-source security toolkit."

Change

Replace the stale notice with an accurate, useful contributor guide:

• How to report bugs / propose features
• Dev setup (clone + npm install, Node >=18 per engines)
• A table of the real npm scripts (test, test:watch, test:coverage, lint, typecheck, build, cli)
• The exact checks CI runs on PRs to main (lint + test + build)
• Conventional Commits guidance matching the existing history (e.g. fix(cli): ..., feat(diff): ..., docs: ...)
• Standard PR guidelines and the MIT license note

Why this is high-leverage and low-risk

• Fixes a concrete, verifiable defect (factually wrong, self-contradicting docs) rather than adding speculative content.
• Conflict-free with everything in flight — all open PRs/issues touch src/ or the release workflows; this only touches CONTRIBUTING.md.
• Docs-only, no behavior change.

🤖 Generated with Claude Code

Generated by Claude Code