From 5f9a81035bc550c70b2243707c910a1eec47804d Mon Sep 17 00:00:00 2001 From: Marcel Menk Date: Fri, 3 Apr 2026 10:27:13 +0200 Subject: [PATCH] fix: sbom generation path mismatch --- tools/sbom/executors/sbom/impl.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/sbom/executors/sbom/impl.ts b/tools/sbom/executors/sbom/impl.ts index 3638ec2a..ce5d2f27 100644 --- a/tools/sbom/executors/sbom/impl.ts +++ b/tools/sbom/executors/sbom/impl.ts @@ -132,8 +132,14 @@ export default async function sbomExecutor( } const cyclonedxCli = resolveCyclonedxNpmCliPath(workspaceRoot); + // CycloneDX's NpmRunner uses npm_execpath to run `node -- …/npm-cli.js`. That path can fail on some + // CI images while plain `npm` on PATH works. Unset npm_execpath so the tool falls back to `npm …`. + const cyclonedxEnv = { ...process.env }; + delete cyclonedxEnv.npm_execpath; + const npmResult = spawnSync(process.execPath, [cyclonedxCli, ...cyclonedxNpmArgs], { cwd: workDir, + env: cyclonedxEnv, stdio: 'inherit', maxBuffer: 10 * 1024 * 1024, });