kolm  /  security  /  SBOM

Software bill of materials.

Every direct dependency in the CLI, the API server, the verifier, and the SDKs. We publish the full tree in CycloneDX 1.5 format and rebuild it on every release. If a package on this list has a CVE, the bot opens a PR within 24 hours.

Format CycloneDX 1.5Refreshed weeklyLast build 2026-05-15Total deps 87

CLI (kolm npm package)

34 direct runtime deps. The verifier path uses only the node standard library; no third-party crypto.

PackageVersionLicense
commander12.1.0MIT
chalk5.3.0MIT
ora8.0.1MIT
yauzl3.1.3MIT
tar-stream3.1.7MIT
node-fetch3.3.2MIT
js-yaml4.1.0MIT
open10.1.0MIT
+ 26 more (download full list below)

API server (railway)

23 direct runtime deps. Stripe SDK on a separate trust boundary.

PackageVersionLicense
express4.21.1MIT
better-sqlite311.3.0MIT
stripe17.4.0MIT
jsonwebtoken9.0.2MIT
bcrypt5.1.1MIT
cors2.8.5MIT
helmet8.0.0MIT
+ 16 more

Trainer (Python)

30 direct deps. Pinned to a known-good index hash. Reinstall is reproducible from the receipt.

PackageVersionLicense
torch2.5.1BSD-3-Clause
transformers4.46.3Apache-2.0
peft0.13.2Apache-2.0
trl0.12.1Apache-2.0
datasets3.1.0Apache-2.0
accelerate1.1.1Apache-2.0
bitsandbytes0.44.1MIT
vllm0.6.3Apache-2.0
+ 22 more

Get the full SBOM

The JSON file below is generated by Syft on every release and signed with the same key as the CLI binaries.

$ curl https://kolm.ai/sbom/kolm-cli-0.1.0.cdx.json
$ curl https://kolm.ai/sbom/kolm-server-0.1.0.cdx.json
$ curl https://kolm.ai/sbom/kolm-trainer-0.1.0.cdx.json

# verify the signature
$ cosign verify-blob \
    --certificate kolm-cli-0.1.0.cdx.json.crt \
    --signature   kolm-cli-0.1.0.cdx.json.sig \
    kolm-cli-0.1.0.cdx.json

Vulnerability monitoring is wired to /security. New CVEs against any package in this tree open a high-priority issue and a PR within 24 hours of disclosure.