This benchmark uses workers-sdk, Cloudflare's monorepo containing Wrangler (the CLI for Cloudflare Workers), Miniflare, and related tooling. It's a large-scale TypeScript/JavaScript project with complex dependency management.
Version: wrangler@3.99.0
Tools from the sbomify resource list, specifically:
- Trivy
- Syft
- sbomify github-action
The benchmark workflow:
- Clones the workers-sdk repository at the specified tag
- Runs each SBOM generator against the project's
pnpm-lock.yamland source tree - Scores each generated SBOM using sbomqs
- Produces a comparison table in the workflow summary
The full process is automated and you can see the exact commands in javascript.yml.
If you look at the JavaScript CI/CD run, you can see the quality score of the SBOMs (from sbomqs) as well as download the actual SBOMs as artifacts.
workers-sdk was chosen as a benchmark target because:
- Monorepo structure: Multiple packages (Wrangler, Miniflare, C3) in a pnpm workspace
- Production TypeScript: Powers Cloudflare's developer tooling used by millions
- Complex dependencies: Hundreds of npm packages across multiple workspaces
- pnpm lockfile: Tests SBOM generators' support for modern package managers
- Widely used: 106k+ dependent repositories on GitHub