From fef5e1f7db20970e7840ef3a83545f1243accb2c Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 15 Oct 2025 10:38:03 +0200
Subject: [PATCH 01/19] feat: support Python 3.14

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/python.yml | 5 +++--
 pyproject.toml               | 1 +
 tox.ini                      | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 30afdb36..5acafb97 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -122,7 +122,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - python-version: '3.13'  # latest
+          - python-version: '3.14'  # latest
             os: ubuntu-latest
             toxenv-factors: '-current'
           - python-version: '3.9'   # lowest
@@ -210,7 +210,8 @@ jobs:
           - macos-latest
           - windows-latest
         python-version:
-          - "3.13" # highest supported
+          - "3.14" # highest supported
+          - "3.13"
           - "3.12"
           - "3.11"
           - "3.10"
diff --git a/pyproject.toml b/pyproject.toml
index a0865510..33402053 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -57,6 +57,7 @@ classifiers = [
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
   "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
   "Typing :: Typed"
 ]
 [tool.poetry.urls]
diff --git a/tox.ini b/tox.ini
index 8aa57da7..fffcf065 100644
--- a/tox.ini
+++ b/tox.ini
@@ -8,7 +8,7 @@ minversion = 4.0
 envlist =
     flake8
     mypy-{current,lowest}
-    py{313,312,311,310,39}
+    py{314,313,312,311,310,39}
     bandit
     deptry
 skip_missing_interpreters = True

From 72c532dd90a0cf147919b20f100d7e56dd32c980 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 15 Oct 2025 15:52:14 +0200
Subject: [PATCH 02/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/docker.yml | 2 +-
 .github/workflows/python.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 233a874c..5328f3c3 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -32,7 +32,7 @@ concurrency:
 
 env:
   REPORTS_DIR: CI_reports
-  PYTHON_VERSION: "3.12"
+  PYTHON_VERSION: "3.14"
   POETRY_VERSION: "1.8.1"
 
 permissions: {}
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 5acafb97..3c068169 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -36,7 +36,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION_DEFAULT: "3.12"
+  PYTHON_VERSION_DEFAULT: "3.14"
   POETRY_VERSION: "1.8.1"
   REPORTS_DIR: CI_reports
   TESTS_REPORTS_ARTIFACT: tests-reports

From a7042140605b906ecf47114fb85ba141eca14ebd Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 15 Oct 2025 17:04:28 +0200
Subject: [PATCH 03/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .../environment/with-license-pep639/init.py   |  1 -
 .../with-license-pep639/pinning.txt           |  1 -
 .../plain_with-license-pep639_1.0.xml.bin     |  7 ---
 .../plain_with-license-pep639_1.1.xml.bin     | 24 --------
 .../plain_with-license-pep639_1.2.json.bin    | 36 -----------
 .../plain_with-license-pep639_1.2.xml.bin     | 26 --------
 .../plain_with-license-pep639_1.3.json.bin    | 36 -----------
 .../plain_with-license-pep639_1.3.xml.bin     | 26 --------
 .../plain_with-license-pep639_1.4.json.bin    | 36 -----------
 .../plain_with-license-pep639_1.4.xml.bin     | 26 --------
 .../plain_with-license-pep639_1.5.json.bin    | 36 -----------
 .../plain_with-license-pep639_1.5.xml.bin     | 26 --------
 .../plain_with-license-pep639_1.6.json.bin    | 38 ------------
 .../plain_with-license-pep639_1.6.xml.bin     | 26 --------
 .../texts_with-license-pep639_1.0.xml.bin     |  7 ---
 .../texts_with-license-pep639_1.1.xml.bin     | 32 ----------
 .../texts_with-license-pep639_1.2.json.bin    | 56 -----------------
 .../texts_with-license-pep639_1.2.xml.bin     | 34 -----------
 .../texts_with-license-pep639_1.3.json.bin    | 56 -----------------
 .../texts_with-license-pep639_1.3.xml.bin     | 34 -----------
 .../texts_with-license-pep639_1.4.json.bin    | 56 -----------------
 .../texts_with-license-pep639_1.4.xml.bin     | 34 -----------
 .../texts_with-license-pep639_1.5.json.bin    | 56 -----------------
 .../texts_with-license-pep639_1.5.xml.bin     | 34 -----------
 .../texts_with-license-pep639_1.6.json.bin    | 60 -------------------
 .../texts_with-license-pep639_1.6.xml.bin     | 34 -----------
 26 files changed, 838 deletions(-)

diff --git a/tests/_data/infiles/environment/with-license-pep639/init.py b/tests/_data/infiles/environment/with-license-pep639/init.py
index 21d9bb7c..e7d92a40 100644
--- a/tests/_data/infiles/environment/with-license-pep639/init.py
+++ b/tests/_data/infiles/environment/with-license-pep639/init.py
@@ -70,7 +70,6 @@ def main() -> None:
         'boolean.py',
         'jsonpointer',
         'license_expression',
-        'lxml',
         'chardet==5.2.0',  # https://github.com/CycloneDX/cyclonedx-python/issues/931
         # with expression-like License AND License-File
         'cryptography==43.0.1',  # https://github.com/CycloneDX/cyclonedx-python/issues/826
diff --git a/tests/_data/infiles/environment/with-license-pep639/pinning.txt b/tests/_data/infiles/environment/with-license-pep639/pinning.txt
index 3f1bc7c7..d5080bb5 100644
--- a/tests/_data/infiles/environment/with-license-pep639/pinning.txt
+++ b/tests/_data/infiles/environment/with-license-pep639/pinning.txt
@@ -4,4 +4,3 @@ chardet==5.2.0
 cryptography==43.0.1
 jsonpointer==2.4
 license-expression==30.3.0
-lxml==5.3.0
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.0.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.0.xml.bin
index b4827579..a37fe35a 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.0.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.0.xml.bin
@@ -43,13 +43,6 @@
       <purl>pkg:pypi/license-expression@30.3.0</purl>
       <modified>false</modified>
     </component>
-    <component type="library">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <modified>false</modified>
-    </component>
     <component type="library">
       <name>regression-issue868</name>
       <version>0.1</version>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.1.xml.bin
index 4aed6cd2..82ee698f 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.1.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.1.xml.bin
@@ -145,30 +145,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.json.bin
index 8016f9a1..ea1303bd 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.json.bin
@@ -185,38 +185,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -253,9 +221,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -266,7 +231,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.xml.bin
index 669c6b16..28399ce4 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.2.xml.bin
@@ -167,30 +167,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -211,7 +187,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -219,7 +194,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.json.bin
index 23f749f3..4b39b11c 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.json.bin
@@ -199,38 +199,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -267,9 +235,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -280,7 +245,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.xml.bin
index 926df2fd..898285c3 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.3.xml.bin
@@ -180,30 +180,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -224,7 +200,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -232,7 +207,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.json.bin
index 9c8b753d..2b2b6099 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.json.bin
@@ -199,38 +199,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -267,9 +235,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -280,7 +245,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.xml.bin
index 827c66a3..e4228a9c 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.4.xml.bin
@@ -207,30 +207,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -251,7 +227,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -259,7 +234,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.json.bin
index 88350545..69bce299 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.json.bin
@@ -199,38 +199,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -267,9 +235,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -280,7 +245,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.xml.bin
index af611cc3..f12e3caa 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.5.xml.bin
@@ -217,30 +217,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -261,7 +237,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -269,7 +244,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.json.bin
index 5915e528..f14f142c 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.json.bin
@@ -207,40 +207,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -277,9 +243,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -290,7 +253,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.xml.bin
index e226c35a..845951d0 100644
--- a/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-license-pep639_1.6.xml.bin
@@ -217,30 +217,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license acknowledgement="declared">
-          <id>BSD-3-Clause</id>
-        </license>
-        <license acknowledgement="declared">
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -261,7 +237,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -269,7 +244,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.0.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.0.xml.bin
index b4827579..a37fe35a 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.0.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.0.xml.bin
@@ -43,13 +43,6 @@
       <purl>pkg:pypi/license-expression@30.3.0</purl>
       <modified>false</modified>
     </component>
-    <component type="library">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <modified>false</modified>
-    </component>
     <component type="library">
       <name>regression-issue868</name>
       <version>0.1</version>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.1.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.1.xml.bin
index f03e0ae2..ec7ba2dd 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.1.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.1.xml.bin
@@ -197,38 +197,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license>
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license>
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.json.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.json.bin
index 8d15fdfb..f7ef3be3 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.json.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.json.bin
@@ -313,58 +313,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSE.txt",
-            "text": {
-              "content": "Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSES.txt",
-            "text": {
-              "content": "bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -401,9 +349,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -414,7 +359,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.xml.bin
index 749b02e2..092fcf47 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.2.xml.bin
@@ -219,38 +219,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license>
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license>
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -271,7 +239,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -279,7 +246,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.json.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.json.bin
index 40d20b53..d8000a7c 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.json.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.json.bin
@@ -327,58 +327,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSE.txt",
-            "text": {
-              "content": "Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSES.txt",
-            "text": {
-              "content": "bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -415,9 +363,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -428,7 +373,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.xml.bin
index 7d7d7d45..69946060 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.3.xml.bin
@@ -268,38 +268,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license>
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license>
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -320,7 +288,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -328,7 +295,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.json.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.json.bin
index 160d0cff..5a104541 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.json.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.json.bin
@@ -327,58 +327,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSE.txt",
-            "text": {
-              "content": "Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSES.txt",
-            "text": {
-              "content": "bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -415,9 +363,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -428,7 +373,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.xml.bin
index 83297b43..b8055cc1 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.4.xml.bin
@@ -295,38 +295,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license>
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license>
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -347,7 +315,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -355,7 +322,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.json.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.json.bin
index 7d1edfbe..0cc5b219 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.json.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.json.bin
@@ -327,58 +327,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSE.txt",
-            "text": {
-              "content": "Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        },
-        {
-          "license": {
-            "name": "declared license file: LICENSES.txt",
-            "text": {
-              "content": "bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -415,9 +363,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -428,7 +373,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.xml.bin
index ceb9e6c2..11ad3ee6 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.5.xml.bin
@@ -305,38 +305,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license>
-          <id>BSD-3-Clause</id>
-        </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license>
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license>
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -357,7 +325,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -365,7 +332,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.json.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.json.bin
index 34bb4681..08effcf4 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.json.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.json.bin
@@ -348,62 +348,6 @@
       "type": "library",
       "version": "30.3.0"
     },
-    {
-      "bom-ref": "lxml==5.3.0",
-      "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
-      "externalReferences": [
-        {
-          "comment": "from packaging metadata Project-URL: Source",
-          "type": "other",
-          "url": "https://github.com/lxml/lxml"
-        },
-        {
-          "comment": "from packaging metadata: Home-page",
-          "type": "website",
-          "url": "https://lxml.de/"
-        }
-      ],
-      "licenses": [
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "id": "BSD-3-Clause"
-          }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "License :: OSI Approved :: BSD License"
-          }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "declared license file: LICENSE.txt",
-            "text": {
-              "content": "Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "declared license file: LICENSES.txt",
-            "text": {
-              "content": "bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=",
-              "contentType": "text/plain",
-              "encoding": "base64"
-            }
-          }
-        }
-      ],
-      "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
-      "type": "library",
-      "version": "5.3.0"
-    },
     {
       "bom-ref": "regression-issue868==0.1",
       "externalReferences": [
@@ -440,9 +384,6 @@
       ],
       "ref": "license-expression==30.3.0"
     },
-    {
-      "ref": "lxml==5.3.0"
-    },
     {
       "ref": "regression-issue868==0.1"
     },
@@ -453,7 +394,6 @@
         "cryptography==43.0.1",
         "jsonpointer==2.4",
         "license-expression==30.3.0",
-        "lxml==5.3.0",
         "regression-issue868==0.1"
       ],
       "ref": "root-component"
diff --git a/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.xml.bin b/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.xml.bin
index d35e7061..be5f0590 100644
--- a/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.xml.bin
+++ b/tests/_data/snapshots/environment/texts_with-license-pep639_1.6.xml.bin
@@ -305,38 +305,6 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
-      <name>lxml</name>
-      <version>5.3.0</version>
-      <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <licenses>
-        <license acknowledgement="declared">
-          <id>BSD-3-Clause</id>
-        </license>
-        <license acknowledgement="declared">
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
-        <license acknowledgement="declared">
-          <name>declared license file: LICENSE.txt</name>
-          <text content-type="text/plain" encoding="base64">Q29weXJpZ2h0IChjKSAyMDA0IEluZnJhZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAptb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCm1ldDoKCiAgMS4gUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKICAgICBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgIAogIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CiAgICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluCiAgICAgdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogICAgIGRpc3RyaWJ1dGlvbi4KCiAgMy4gTmVpdGhlciB0aGUgbmFtZSBvZiBJbmZyYWUgbm9yIHRoZSBuYW1lcyBvZiBpdHMgY29udHJpYnV0b3JzIG1heQogICAgIGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbSB0aGlzIHNvZnR3YXJlCiAgICAgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgpUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCkxJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgpBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgSU5GUkFFIE9SCkNPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBTUEVDSUFMLApFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sClBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLCBEQVRBLCBPUgpQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkgVEhFT1JZIE9GCkxJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVCAoSU5DTFVESU5HCk5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YgVEhJUwpTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4K</text>
-        </license>
-        <license acknowledgement="declared">
-          <name>declared license file: LICENSES.txt</name>
-          <text content-type="text/plain" encoding="base64">bHhtbCBpcyBjb3B5cmlnaHQgSW5mcmFlIGFuZCBkaXN0cmlidXRlZCB1bmRlciB0aGUgQlNEIGxpY2Vuc2UgKHNlZQpkb2MvbGljZW5zZXMvQlNELnR4dCksIHdpdGggdGhlIGZvbGxvd2luZyBleGNlcHRpb25zOgoKU29tZSBjb2RlLCBzdWNoIGEgc2VsZnRlc3QucHksIHNlbGZ0ZXN0Mi5weSBhbmQKc3JjL2x4bWwvX2VsZW1lbnRwYXRoLnB5IGFyZSBkZXJpdmVkIGZyb20gRWxlbWVudFRyZWUgYW5kCmNFbGVtZW50VHJlZS4gU2VlIGRvYy9saWNlbnNlcy9lbGVtZW50dHJlZS50eHQgZm9yIHRoZSBsaWNlbnNlIHRleHQuCgpseG1sLmNzc3NlbGVjdCBhbmQgbHhtbC5odG1sIGFyZSBjb3B5cmlnaHQgSWFuIEJpY2tpbmcgYW5kIGRpc3RyaWJ1dGVkCnVuZGVyIHRoZSBCU0QgbGljZW5zZSAoc2VlIGRvYy9saWNlbnNlcy9CU0QudHh0KS4KCnRlc3QucHksIHRoZSB0ZXN0LXJ1bm5lciBzY3JpcHQsIGlzIEdQTCBhbmQgY29weXJpZ2h0IFNodXR0bGV3b3J0aApGb3VuZGF0aW9uLiBTZWUgZG9jL2xpY2Vuc2VzL0dQTC50eHQuIEl0IGlzIGJlbGlldmVkIHRoZSB1bmNoYW5nZWQKaW5jbHVzaW9uIG9mIHRlc3QucHkgdG8gcnVuIHRoZSB1bml0IHRlc3Qgc3VpdGUgZmFsbHMgdW5kZXIgdGhlCiJhZ2dyZWdhdGlvbiIgY2xhdXNlIG9mIHRoZSBHUEwgYW5kIHRodXMgZG9lcyBub3QgYWZmZWN0IHRoZSBsaWNlbnNlCm9mIHRoZSByZXN0IG9mIHRoZSBwYWNrYWdlLgoKVGhlIGlzb3NjaGVtYXRyb24gaW1wbGVtZW50YXRpb24gdXNlcyBzZXZlcmFsIFhTTCBhbmQgUmVsYXhORyByZXNvdXJjZXM6CiAqIFRoZSAoWE1MIHN5bnRheCkgUmVsYXhORyBzY2hlbWEgZm9yIHNjaGVtYXRyb24sIGNvcHlyaWdodCBJbnRlcm5hdGlvbmFsCiAgIE9yZ2FuaXphdGlvbiBmb3IgU3RhbmRhcmRpemF0aW9uIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3JuZy9pc28tc2NoZW1hdHJvbi5ybmcgZm9yIHRoZSBsaWNlbnNlCiAgIHRleHQpCiAqIFRoZSBza2VsZXRvbiBpc28tc2NoZW1hdHJvbi14bHQxIHB1cmUteHNsdCBzY2hlbWF0cm9uIGltcGxlbWVudGF0aW9uCiAgIHhzbCBzdHlsZXNoZWV0cywgY29weXJpZ2h0IFJpY2sgSmVsbGlmZmUgYW5kIEFjYWRlbWlhIFNpbmljYSBDb21wdXRpbmcKICAgQ2VudGVyLCBUYWl3YW4gKHNlZSB0aGUgeHNsIGZpbGVzIGhlcmUgZm9yIHRoZSBsaWNlbnNlIHRleHQ6IAogICBzcmMvbHhtbC9pc29zY2hlbWF0cm9uL3Jlc291cmNlcy94c2wvaXNvLXNjaGVtYXRyb24teHNsdDEvKQogKiBUaGUgeHNkL3JuZyBzY2hlbWEgc2NoZW1hdHJvbiBleHRyYWN0aW9uIHhzbCB0cmFuc2Zvcm1hdGlvbnMgYXJlIHVubGljZW5zZWQKICAgYW5kIGNvcHlyaWdodCB0aGUgcmVzcGVjdGl2ZSBhdXRob3JzIGFzIG5vdGVkIChzZWUgCiAgIHNyYy9seG1sL2lzb3NjaGVtYXRyb24vcmVzb3VyY2VzL3hzbC9STkcyU2NodHJuLnhzbCBhbmQKICAgc3JjL2x4bWwvaXNvc2NoZW1hdHJvbi9yZXNvdXJjZXMveHNsL1hTRDJTY2h0cm4ueHNsKQo=</text>
-        </license>
-      </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
-      <externalReferences>
-        <reference type="other">
-          <url>https://github.com/lxml/lxml</url>
-          <comment>from packaging metadata Project-URL: Source</comment>
-        </reference>
-        <reference type="website">
-          <url>https://lxml.de/</url>
-          <comment>from packaging metadata: Home-page</comment>
-        </reference>
-      </externalReferences>
-    </component>
     <component type="library" bom-ref="regression-issue868==0.1">
       <name>regression-issue868</name>
       <version>0.1</version>
@@ -357,7 +325,6 @@
     <dependency ref="license-expression==30.3.0">
       <dependency ref="boolean.py==4.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
     <dependency ref="regression-issue868==0.1"/>
     <dependency ref="root-component">
       <dependency ref="attrs==23.2.0"/>
@@ -365,7 +332,6 @@
       <dependency ref="cryptography==43.0.1"/>
       <dependency ref="jsonpointer==2.4"/>
       <dependency ref="license-expression==30.3.0"/>
-      <dependency ref="lxml==5.3.0"/>
       <dependency ref="regression-issue868==0.1"/>
     </dependency>
   </dependencies>

From 2d428edeb75124e82084f5ab87416bc4c8a26d41 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 15 Oct 2025 18:41:33 +0200
Subject: [PATCH 04/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/__init__.py                             |   4 +-
 .../infiles/environment/with-extras/init.py   |   2 +-
 .../environment/with-extras/pinning.txt       |  32 +-
 .../environment/with-license-pep639/init.py   |   8 +-
 .../environment/plain_with-extras_1.0.xml.bin |  78 +++--
 .../environment/plain_with-extras_1.1.xml.bin | 184 +++++++----
 .../plain_with-extras_1.2.json.bin            | 285 ++++++++++-------
 .../environment/plain_with-extras_1.2.xml.bin | 260 ++++++++++------
 .../plain_with-extras_1.3.json.bin            | 287 ++++++++++-------
 .../environment/plain_with-extras_1.3.xml.bin | 262 +++++++++-------
 .../plain_with-extras_1.4.json.bin            | 287 ++++++++++-------
 .../environment/plain_with-extras_1.4.xml.bin | 262 +++++++++-------
 .../plain_with-extras_1.5.json.bin            | 287 ++++++++++-------
 .../environment/plain_with-extras_1.5.xml.bin | 262 +++++++++-------
 .../plain_with-extras_1.6.json.bin            | 291 +++++++++++-------
 .../environment/plain_with-extras_1.6.xml.bin | 262 +++++++++-------
 16 files changed, 1883 insertions(+), 1170 deletions(-)

diff --git a/tests/__init__.py b/tests/__init__.py
index 75a96819..06029472 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -28,11 +28,11 @@
 
 from cyclonedx_py import __version__ as __this_version
 
-RECREATE_SNAPSHOTS = '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
+RECREATE_SNAPSHOTS = True # '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
 if RECREATE_SNAPSHOTS:
     print('!!! WILL RECREATE ALL SNAPSHOTS !!!', file=sys.stderr)
 
-INIT_TESTBEDS = '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
+INIT_TESTBEDS = True # '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
 if INIT_TESTBEDS:
     print('!!! WILL INIT TESTBEDS !!!', file=sys.stderr)
 
diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index e1182814..a644ca66 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -63,7 +63,7 @@ def main() -> None:
     ).create(env_dir)
 
     pip_install(
-        'cyclonedx-python-lib[xml-validation,json-validation]',
+        'cyclonedx-python-lib[xml-validation,json-validation]==11.2',
         # additionals for reproducibility foo
         'importlib-resources>=1.4.0',
         'pkgutil-resolve-name>=1.3.10',
diff --git a/tests/_data/infiles/environment/with-extras/pinning.txt b/tests/_data/infiles/environment/with-extras/pinning.txt
index a62106ae..1c113e92 100644
--- a/tests/_data/infiles/environment/with-extras/pinning.txt
+++ b/tests/_data/infiles/environment/with-extras/pinning.txt
@@ -1,28 +1,30 @@
 arrow==1.3.0
-attrs==24.2.0
-boolean.py==4.0
-cyclonedx-python-lib==8.2.0
+attrs==25.4.0
+boolean.py==5.0
+cyclonedx-python-lib==11.2.0
 defusedxml==0.7.1
 fqdn==1.5.1
-idna==3.10
+idna==3.11
 importlib_resources==6.4.5
 isoduration==20.11.0
 jsonpointer==3.0.0
-jsonschema==4.23.0
+jsonschema==4.25.1
 jsonschema-specifications==2023.3.6
-license-expression==30.3.1
-lxml==5.3.0
-packageurl-python==0.16.0
+lark==1.3.0
+license-expression==30.4.4
+lxml==6.0.2
+packageurl-python==0.17.5
 pkgutil_resolve_name==1.3.10
-py-serializable==1.1.2
+py-serializable==2.1.0
 python-dateutil==2.9.0.post0
-referencing==0.35.1
+referencing==0.37.0
 rfc3339-validator==0.1.4
-rfc3987==1.3.8
-rpds-py==0.20.0
-six==1.16.0
+rfc3986-validator==0.1.1
+rfc3987-syntax==1.1.0
+rpds-py==0.27.1
+six==1.17.0
 sortedcontainers==2.4.0
-types-python-dateutil==2.9.0.20241003
+types-python-dateutil==2.9.0.20251008
 uri-template==1.3.0
-webcolors==24.8.0
+webcolors==24.11.1
 zipp==3.20.2
diff --git a/tests/_data/infiles/environment/with-license-pep639/init.py b/tests/_data/infiles/environment/with-license-pep639/init.py
index e7d92a40..13ae9349 100644
--- a/tests/_data/infiles/environment/with-license-pep639/init.py
+++ b/tests/_data/infiles/environment/with-license-pep639/init.py
@@ -65,11 +65,11 @@ def main() -> None:
     pip_install(
         '--no-dependencies',
         # with License-Expression
-        'attrs',
+        'attrs==23.2.0',
         # with License-File
-        'boolean.py',
-        'jsonpointer',
-        'license_expression',
+        'boolean.py==4.0',
+        'jsonpointer==2.4',
+        'license_expression==30.3.0',
         'chardet==5.2.0',  # https://github.com/CycloneDX/cyclonedx-python/issues/931
         # with expression-like License AND License-File
         'cryptography==43.0.1',  # https://github.com/CycloneDX/cyclonedx-python/issues/826
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
index 5da4c167..5e13b31f 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
@@ -10,23 +10,23 @@
     </component>
     <component type="library">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -45,9 +45,9 @@
     </component>
     <component type="library">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -73,9 +73,9 @@
     </component>
     <component type="library">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -85,25 +85,32 @@
       <purl>pkg:pypi/jsonschema-specifications@2023.3.6</purl>
       <modified>false</modified>
     </component>
+    <component type="library">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <modified>false</modified>
+    </component>
     <component type="library">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -115,9 +122,9 @@
     </component>
     <component type="library">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -129,9 +136,9 @@
     </component>
     <component type="library">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -142,24 +149,31 @@
       <modified>false</modified>
     </component>
     <component type="library">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
+      <modified>false</modified>
+    </component>
+    <component type="library">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -171,9 +185,9 @@
     </component>
     <component type="library">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <modified>false</modified>
     </component>
     <component type="library">
@@ -185,9 +199,9 @@
     </component>
     <component type="library">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <modified>false</modified>
     </component>
     <component type="library">
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
index d8c26272..20c9be7b 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
@@ -26,16 +26,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -59,16 +59,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license>
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -76,9 +76,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license>
@@ -88,7 +88,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -102,13 +102,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -150,16 +154,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license>
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -238,16 +242,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -312,16 +316,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -329,20 +354,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license>
           <id>BSD-3-Clause</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -353,16 +379,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -387,9 +413,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license>
@@ -399,7 +425,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -415,7 +441,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -447,16 +473,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -505,37 +531,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license>
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -549,6 +600,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -563,16 +618,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -597,19 +652,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -629,7 +681,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -650,9 +702,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license>
@@ -662,15 +714,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
index dae67ce2..cd6df1b2 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
@@ -33,7 +33,7 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "attrs==24.2.0",
+      "bom-ref": "attrs==25.4.0",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
@@ -70,12 +70,12 @@
         }
       ],
       "name": "attrs",
-      "purl": "pkg:pypi/attrs@24.2.0",
+      "purl": "pkg:pypi/attrs@25.4.0",
       "type": "library",
-      "version": "24.2.0"
+      "version": "25.4.0"
     },
     {
-      "bom-ref": "boolean.py==4.0",
+      "bom-ref": "boolean.py==5.0",
       "description": "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.",
       "externalReferences": [
         {
@@ -92,12 +92,12 @@
         }
       ],
       "name": "boolean.py",
-      "purl": "pkg:pypi/boolean.py@4.0",
+      "purl": "pkg:pypi/boolean.py@5.0",
       "type": "library",
-      "version": "4.0"
+      "version": "5.0"
     },
     {
-      "bom-ref": "cyclonedx-python-lib==8.2.0",
+      "bom-ref": "cyclonedx-python-lib==11.2.0",
       "description": "Python library for CycloneDX",
       "externalReferences": [
         {
@@ -115,13 +115,18 @@
           "type": "other",
           "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Changelog",
+          "type": "other",
+          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/releases"
+        },
         {
           "comment": "from packaging metadata Project-URL: Repository",
           "type": "vcs",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
         }
@@ -139,9 +144,9 @@
         }
       ],
       "name": "cyclonedx-python-lib",
-      "purl": "pkg:pypi/cyclonedx-python-lib@8.2.0",
+      "purl": "pkg:pypi/cyclonedx-python-lib@11.2.0",
       "type": "library",
-      "version": "8.2.0"
+      "version": "11.2.0"
     },
     {
       "bom-ref": "defusedxml==0.7.1",
@@ -193,7 +198,7 @@
       "version": "1.5.1"
     },
     {
-      "bom-ref": "idna==3.10",
+      "bom-ref": "idna==3.11",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
@@ -215,14 +220,14 @@
       "licenses": [
         {
           "license": {
-            "name": "License :: OSI Approved :: BSD License"
+            "id": "BSD-3-Clause"
           }
         }
       ],
       "name": "idna",
-      "purl": "pkg:pypi/idna@3.10",
+      "purl": "pkg:pypi/idna@3.11",
       "type": "library",
-      "version": "3.10"
+      "version": "3.11"
     },
     {
       "bom-ref": "importlib_resources==6.4.5",
@@ -306,7 +311,7 @@
       "version": "3.0.0"
     },
     {
-      "bom-ref": "jsonschema==4.23.0",
+      "bom-ref": "jsonschema==4.25.1",
       "description": "An implementation of JSON Schema validation for Python",
       "externalReferences": [
         {
@@ -353,9 +358,9 @@
         }
       ],
       "name": "jsonschema",
-      "purl": "pkg:pypi/jsonschema@4.23.0",
+      "purl": "pkg:pypi/jsonschema@4.25.1",
       "type": "library",
-      "version": "4.23.0"
+      "version": "4.25.1"
     },
     {
       "bom-ref": "jsonschema-specifications==2023.3.6",
@@ -400,7 +405,34 @@
       "version": "2023.3.6"
     },
     {
-      "bom-ref": "license-expression==30.3.1",
+      "bom-ref": "lark==1.3.0",
+      "description": "a modern parsing library",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Download",
+          "type": "distribution",
+          "url": "https://github.com/lark-parser/lark/tarball/master"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
+          "type": "website",
+          "url": "https://github.com/lark-parser/lark"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "lark",
+      "purl": "pkg:pypi/lark@1.3.0",
+      "type": "library",
+      "version": "1.3.0"
+    },
+    {
+      "bom-ref": "license-expression==30.4.4",
       "description": "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.",
       "externalReferences": [
         {
@@ -417,14 +449,19 @@
         }
       ],
       "name": "license-expression",
-      "purl": "pkg:pypi/license-expression@30.3.1",
+      "purl": "pkg:pypi/license-expression@30.4.4",
       "type": "library",
-      "version": "30.3.1"
+      "version": "30.4.4"
     },
     {
-      "bom-ref": "lxml==5.3.0",
+      "bom-ref": "lxml==6.0.2",
       "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
       "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://bugs.launchpad.net/lxml"
+        },
         {
           "comment": "from packaging metadata Project-URL: Source",
           "type": "other",
@@ -441,20 +478,15 @@
           "license": {
             "id": "BSD-3-Clause"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
         }
       ],
       "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
+      "purl": "pkg:pypi/lxml@6.0.2",
       "type": "library",
-      "version": "5.3.0"
+      "version": "6.0.2"
     },
     {
-      "bom-ref": "packageurl-python==0.16.0",
+      "bom-ref": "packageurl-python==0.17.5",
       "description": "A purl aka. Package URL parser and builder",
       "externalReferences": [
         {
@@ -471,9 +503,9 @@
         }
       ],
       "name": "packageurl-python",
-      "purl": "pkg:pypi/packageurl-python@0.16.0",
+      "purl": "pkg:pypi/packageurl-python@0.17.5",
       "type": "library",
-      "version": "0.16.0"
+      "version": "0.17.5"
     },
     {
       "bom-ref": "pkgutil_resolve_name==1.3.10",
@@ -498,7 +530,7 @@
       "version": "1.3.10"
     },
     {
-      "bom-ref": "py-serializable==1.1.2",
+      "bom-ref": "py-serializable==2.1.0",
       "description": "Library for serializing and deserializing Python Objects to and from JSON and XML.",
       "externalReferences": [
         {
@@ -517,7 +549,7 @@
           "url": "https://github.com/madpah/serializable"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/madpah/serializable#readme"
         }
@@ -535,9 +567,9 @@
         }
       ],
       "name": "py-serializable",
-      "purl": "pkg:pypi/py-serializable@1.1.2",
+      "purl": "pkg:pypi/py-serializable@2.1.0",
       "type": "library",
-      "version": "1.1.2"
+      "version": "2.1.0"
     },
     {
       "bom-ref": "python-dateutil==2.9.0.post0",
@@ -577,7 +609,7 @@
       "version": "2.9.0.post0"
     },
     {
-      "bom-ref": "referencing==0.35.1",
+      "bom-ref": "referencing==0.37.0",
       "description": "JSON Referencing + Python",
       "externalReferences": [
         {
@@ -624,9 +656,9 @@
         }
       ],
       "name": "referencing",
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.37.0",
       "type": "library",
-      "version": "0.35.1"
+      "version": "0.37.0"
     },
     {
       "bom-ref": "rfc3339-validator==0.1.4",
@@ -651,34 +683,66 @@
       "version": "0.1.4"
     },
     {
-      "bom-ref": "rfc3987==1.3.8",
-      "description": "Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)",
+      "bom-ref": "rfc3986-validator==0.1.1",
+      "description": "Pure python rfc3986 validator",
       "externalReferences": [
         {
-          "comment": "from packaging metadata: Download-URL",
-          "type": "distribution",
-          "url": "https://github.com/dgerber/rfc3987"
+          "comment": "from packaging metadata: Home-page",
+          "type": "website",
+          "url": "https://github.com/naimetti/rfc3986-validator"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "rfc3986-validator",
+      "purl": "pkg:pypi/rfc3986-validator@0.1.1",
+      "type": "library",
+      "version": "0.1.1"
+    },
+    {
+      "bom-ref": "rfc3987-syntax==1.1.0",
+      "description": "Helper functions to syntactically validate strings according to RFC 3987.",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://github.com/willynilly/rfc3987-syntax#readme"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Issues",
+          "type": "issue-tracker",
+          "url": "https://github.com/willynilly/rfc3987-syntax/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Source",
+          "type": "other",
+          "url": "https://github.com/willynilly/rfc3987-syntax"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
-          "url": "http://pypi.python.org/pypi/rfc3987"
+          "url": "https://github.com/willynilly/rfc3987-syntax"
         }
       ],
       "licenses": [
         {
           "license": {
-            "id": "GPL-3.0-or-later"
+            "id": "MIT"
           }
         }
       ],
-      "name": "rfc3987",
-      "purl": "pkg:pypi/rfc3987@1.3.8",
+      "name": "rfc3987-syntax",
+      "purl": "pkg:pypi/rfc3987-syntax@1.1.0",
       "type": "library",
-      "version": "1.3.8"
+      "version": "1.1.0"
     },
     {
-      "bom-ref": "rpds-py==0.20.0",
+      "bom-ref": "rpds-py==0.27.1",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "externalReferences": [
         {
@@ -696,6 +760,11 @@
           "type": "other",
           "url": "https://github.com/crate-py/rpds"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Upstream",
+          "type": "other",
+          "url": "https://github.com/orium/rpds"
+        },
         {
           "comment": "from packaging metadata Project-URL: Funding",
           "type": "other",
@@ -720,12 +789,12 @@
         }
       ],
       "name": "rpds-py",
-      "purl": "pkg:pypi/rpds-py@0.20.0",
+      "purl": "pkg:pypi/rpds-py@0.27.1",
       "type": "library",
-      "version": "0.20.0"
+      "version": "0.27.1"
     },
     {
-      "bom-ref": "six==1.16.0",
+      "bom-ref": "six==1.17.0",
       "description": "Python 2 and 3 compatibility utilities",
       "externalReferences": [
         {
@@ -742,9 +811,9 @@
         }
       ],
       "name": "six",
-      "purl": "pkg:pypi/six@1.16.0",
+      "purl": "pkg:pypi/six@1.17.0",
       "type": "library",
-      "version": "1.16.0"
+      "version": "1.17.0"
     },
     {
       "bom-ref": "sortedcontainers==2.4.0",
@@ -769,7 +838,7 @@
       "version": "2.4.0"
     },
     {
-      "bom-ref": "types-python-dateutil==2.9.0.20241003",
+      "bom-ref": "types-python-dateutil==2.9.0.20251008",
       "description": "Typing stubs for python-dateutil",
       "externalReferences": [
         {
@@ -793,7 +862,7 @@
           "url": "https://github.com/python/typeshed"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/python/typeshed"
         }
@@ -803,17 +872,12 @@
           "license": {
             "id": "Apache-2.0"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: Apache Software License"
-          }
         }
       ],
       "name": "types-python-dateutil",
-      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20241003",
+      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20251008",
       "type": "library",
-      "version": "2.9.0.20241003"
+      "version": "2.9.0.20251008"
     },
     {
       "bom-ref": "uri-template==1.3.0",
@@ -838,17 +902,17 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "webcolors==24.8.0",
+      "bom-ref": "webcolors==24.11.1",
       "description": "A library for working with the color formats defined by HTML and CSS.",
       "externalReferences": [
         {
-          "comment": "from packaging metadata Project-URL: documentation",
+          "comment": "from packaging metadata Project-URL: Documentation",
           "type": "documentation",
           "url": "https://webcolors.readthedocs.io"
         },
         {
-          "comment": "from packaging metadata Project-URL: homepage",
-          "type": "website",
+          "comment": "from packaging metadata Project-URL: Source Code",
+          "type": "other",
           "url": "https://github.com/ubernostrum/webcolors"
         }
       ],
@@ -865,9 +929,9 @@
         }
       ],
       "name": "webcolors",
-      "purl": "pkg:pypi/webcolors@24.8.0",
+      "purl": "pkg:pypi/webcolors@24.11.1",
       "type": "library",
-      "version": "24.8.0"
+      "version": "24.11.1"
     },
     {
       "bom-ref": "zipp==3.20.2",
@@ -896,26 +960,27 @@
     {
       "dependsOn": [
         "python-dateutil==2.9.0.post0",
-        "types-python-dateutil==2.9.0.20241003"
+        "types-python-dateutil==2.9.0.20251008"
       ],
       "ref": "arrow==1.3.0"
     },
     {
-      "ref": "attrs==24.2.0"
+      "ref": "attrs==25.4.0"
     },
     {
-      "ref": "boolean.py==4.0"
+      "ref": "boolean.py==5.0"
     },
     {
       "dependsOn": [
-        "jsonschema==4.23.0",
-        "license-expression==30.3.1",
-        "lxml==5.3.0",
-        "packageurl-python==0.16.0",
-        "py-serializable==1.1.2",
+        "jsonschema==4.25.1",
+        "license-expression==30.4.4",
+        "lxml==6.0.2",
+        "packageurl-python==0.17.5",
+        "py-serializable==2.1.0",
+        "referencing==0.37.0",
         "sortedcontainers==2.4.0"
       ],
-      "ref": "cyclonedx-python-lib==8.2.0"
+      "ref": "cyclonedx-python-lib==11.2.0"
     },
     {
       "ref": "defusedxml==0.7.1"
@@ -924,7 +989,7 @@
       "ref": "fqdn==1.5.1"
     },
     {
-      "ref": "idna==3.10"
+      "ref": "idna==3.11"
     },
     {
       "dependsOn": [
@@ -944,40 +1009,42 @@
     {
       "dependsOn": [
         "importlib_resources==6.4.5",
-        "referencing==0.35.1"
+        "referencing==0.37.0"
       ],
       "ref": "jsonschema-specifications==2023.3.6"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
+        "attrs==25.4.0",
         "fqdn==1.5.1",
-        "idna==3.10",
-        "importlib_resources==6.4.5",
+        "idna==3.11",
         "isoduration==20.11.0",
         "jsonpointer==3.0.0",
         "jsonschema-specifications==2023.3.6",
-        "pkgutil_resolve_name==1.3.10",
-        "referencing==0.35.1",
+        "referencing==0.37.0",
         "rfc3339-validator==0.1.4",
-        "rfc3987==1.3.8",
-        "rpds-py==0.20.0",
+        "rfc3986-validator==0.1.1",
+        "rfc3987-syntax==1.1.0",
+        "rpds-py==0.27.1",
         "uri-template==1.3.0",
-        "webcolors==24.8.0"
+        "webcolors==24.11.1"
       ],
-      "ref": "jsonschema==4.23.0"
+      "ref": "jsonschema==4.25.1"
+    },
+    {
+      "ref": "lark==1.3.0"
     },
     {
       "dependsOn": [
-        "boolean.py==4.0"
+        "boolean.py==5.0"
       ],
-      "ref": "license-expression==30.3.1"
+      "ref": "license-expression==30.4.4"
     },
     {
-      "ref": "lxml==5.3.0"
+      "ref": "lxml==6.0.2"
     },
     {
-      "ref": "packageurl-python==0.16.0"
+      "ref": "packageurl-python==0.17.5"
     },
     {
       "ref": "pkgutil_resolve_name==1.3.10"
@@ -986,53 +1053,59 @@
       "dependsOn": [
         "defusedxml==0.7.1"
       ],
-      "ref": "py-serializable==1.1.2"
+      "ref": "py-serializable==2.1.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "python-dateutil==2.9.0.post0"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
-        "rpds-py==0.20.0"
+        "attrs==25.4.0",
+        "rpds-py==0.27.1"
       ],
-      "ref": "referencing==0.35.1"
+      "ref": "referencing==0.37.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "rfc3339-validator==0.1.4"
     },
     {
-      "ref": "rfc3987==1.3.8"
+      "ref": "rfc3986-validator==0.1.1"
+    },
+    {
+      "dependsOn": [
+        "lark==1.3.0"
+      ],
+      "ref": "rfc3987-syntax==1.1.0"
     },
     {
       "dependsOn": [
-        "cyclonedx-python-lib==8.2.0"
+        "cyclonedx-python-lib==11.2.0"
       ],
       "ref": "root-component"
     },
     {
-      "ref": "rpds-py==0.20.0"
+      "ref": "rpds-py==0.27.1"
     },
     {
-      "ref": "six==1.16.0"
+      "ref": "six==1.17.0"
     },
     {
       "ref": "sortedcontainers==2.4.0"
     },
     {
-      "ref": "types-python-dateutil==2.9.0.20241003"
+      "ref": "types-python-dateutil==2.9.0.20251008"
     },
     {
       "ref": "uri-template==1.3.0"
     },
     {
-      "ref": "webcolors==24.8.0"
+      "ref": "webcolors==24.11.1"
     },
     {
       "dependsOn": [
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
index 848bffce..4795472c 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
@@ -45,16 +45,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -78,16 +78,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license>
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -95,9 +95,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license>
@@ -107,7 +107,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -121,13 +121,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -169,16 +173,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license>
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -257,16 +261,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -331,16 +335,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -348,20 +373,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license>
           <id>BSD-3-Clause</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -372,16 +398,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -406,9 +432,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license>
@@ -418,7 +444,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -434,7 +460,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -466,16 +492,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -524,37 +550,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license>
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -568,6 +619,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -582,16 +637,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -616,19 +671,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -648,7 +700,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -669,9 +721,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license>
@@ -681,15 +733,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
@@ -714,21 +766,22 @@
   <dependencies>
     <dependency ref="arrow==1.3.0">
       <dependency ref="python-dateutil==2.9.0.post0"/>
-      <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+      <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     </dependency>
-    <dependency ref="attrs==24.2.0"/>
-    <dependency ref="boolean.py==4.0"/>
-    <dependency ref="cyclonedx-python-lib==8.2.0">
-      <dependency ref="jsonschema==4.23.0"/>
-      <dependency ref="license-expression==30.3.1"/>
-      <dependency ref="lxml==5.3.0"/>
-      <dependency ref="packageurl-python==0.16.0"/>
-      <dependency ref="py-serializable==1.1.2"/>
+    <dependency ref="attrs==25.4.0"/>
+    <dependency ref="boolean.py==5.0"/>
+    <dependency ref="cyclonedx-python-lib==11.2.0">
+      <dependency ref="jsonschema==4.25.1"/>
+      <dependency ref="license-expression==30.4.4"/>
+      <dependency ref="lxml==6.0.2"/>
+      <dependency ref="packageurl-python==0.17.5"/>
+      <dependency ref="py-serializable==2.1.0"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
-    <dependency ref="idna==3.10"/>
+    <dependency ref="idna==3.11"/>
     <dependency ref="importlib_resources==6.4.5">
       <dependency ref="zipp==3.20.2"/>
     </dependency>
@@ -738,53 +791,56 @@
     <dependency ref="jsonpointer==3.0.0"/>
     <dependency ref="jsonschema-specifications==2023.3.6">
       <dependency ref="importlib_resources==6.4.5"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
     </dependency>
-    <dependency ref="jsonschema==4.23.0">
-      <dependency ref="attrs==24.2.0"/>
+    <dependency ref="jsonschema==4.25.1">
+      <dependency ref="attrs==25.4.0"/>
       <dependency ref="fqdn==1.5.1"/>
-      <dependency ref="idna==3.10"/>
-      <dependency ref="importlib_resources==6.4.5"/>
+      <dependency ref="idna==3.11"/>
       <dependency ref="isoduration==20.11.0"/>
       <dependency ref="jsonpointer==3.0.0"/>
       <dependency ref="jsonschema-specifications==2023.3.6"/>
-      <dependency ref="pkgutil_resolve_name==1.3.10"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="rfc3339-validator==0.1.4"/>
-      <dependency ref="rfc3987==1.3.8"/>
-      <dependency ref="rpds-py==0.20.0"/>
+      <dependency ref="rfc3986-validator==0.1.1"/>
+      <dependency ref="rfc3987-syntax==1.1.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
       <dependency ref="uri-template==1.3.0"/>
-      <dependency ref="webcolors==24.8.0"/>
+      <dependency ref="webcolors==24.11.1"/>
     </dependency>
-    <dependency ref="license-expression==30.3.1">
-      <dependency ref="boolean.py==4.0"/>
+    <dependency ref="lark==1.3.0"/>
+    <dependency ref="license-expression==30.4.4">
+      <dependency ref="boolean.py==5.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
-    <dependency ref="packageurl-python==0.16.0"/>
+    <dependency ref="lxml==6.0.2"/>
+    <dependency ref="packageurl-python==0.17.5"/>
     <dependency ref="pkgutil_resolve_name==1.3.10"/>
-    <dependency ref="py-serializable==1.1.2">
+    <dependency ref="py-serializable==2.1.0">
       <dependency ref="defusedxml==0.7.1"/>
     </dependency>
     <dependency ref="python-dateutil==2.9.0.post0">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
     </dependency>
-    <dependency ref="referencing==0.35.1">
-      <dependency ref="attrs==24.2.0"/>
-      <dependency ref="rpds-py==0.20.0"/>
+    <dependency ref="referencing==0.37.0">
+      <dependency ref="attrs==25.4.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
+    </dependency>
+    <dependency ref="rfc3986-validator==0.1.1"/>
+    <dependency ref="rfc3987-syntax==1.1.0">
+      <dependency ref="lark==1.3.0"/>
     </dependency>
-    <dependency ref="rfc3987==1.3.8"/>
     <dependency ref="root-component">
-      <dependency ref="cyclonedx-python-lib==8.2.0"/>
+      <dependency ref="cyclonedx-python-lib==11.2.0"/>
     </dependency>
-    <dependency ref="rpds-py==0.20.0"/>
-    <dependency ref="six==1.16.0"/>
+    <dependency ref="rpds-py==0.27.1"/>
+    <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
-    <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+    <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     <dependency ref="uri-template==1.3.0"/>
-    <dependency ref="webcolors==24.8.0"/>
+    <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
       <dependency ref="importlib_resources==6.4.5"/>
     </dependency>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
index 58dd4b90..c9c2eb91 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
@@ -33,7 +33,7 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "attrs==24.2.0",
+      "bom-ref": "attrs==25.4.0",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
@@ -70,12 +70,12 @@
         }
       ],
       "name": "attrs",
-      "purl": "pkg:pypi/attrs@24.2.0",
+      "purl": "pkg:pypi/attrs@25.4.0",
       "type": "library",
-      "version": "24.2.0"
+      "version": "25.4.0"
     },
     {
-      "bom-ref": "boolean.py==4.0",
+      "bom-ref": "boolean.py==5.0",
       "description": "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.",
       "externalReferences": [
         {
@@ -92,12 +92,12 @@
         }
       ],
       "name": "boolean.py",
-      "purl": "pkg:pypi/boolean.py@4.0",
+      "purl": "pkg:pypi/boolean.py@5.0",
       "type": "library",
-      "version": "4.0"
+      "version": "5.0"
     },
     {
-      "bom-ref": "cyclonedx-python-lib==8.2.0",
+      "bom-ref": "cyclonedx-python-lib==11.2.0",
       "description": "Python library for CycloneDX",
       "externalReferences": [
         {
@@ -115,13 +115,18 @@
           "type": "other",
           "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Changelog",
+          "type": "other",
+          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/releases"
+        },
         {
           "comment": "from packaging metadata Project-URL: Repository",
           "type": "vcs",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
         }
@@ -145,9 +150,9 @@
           "value": "xml-validation"
         }
       ],
-      "purl": "pkg:pypi/cyclonedx-python-lib@8.2.0",
+      "purl": "pkg:pypi/cyclonedx-python-lib@11.2.0",
       "type": "library",
-      "version": "8.2.0"
+      "version": "11.2.0"
     },
     {
       "bom-ref": "defusedxml==0.7.1",
@@ -199,7 +204,7 @@
       "version": "1.5.1"
     },
     {
-      "bom-ref": "idna==3.10",
+      "bom-ref": "idna==3.11",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
@@ -221,14 +226,14 @@
       "licenses": [
         {
           "license": {
-            "name": "License :: OSI Approved :: BSD License"
+            "id": "BSD-3-Clause"
           }
         }
       ],
       "name": "idna",
-      "purl": "pkg:pypi/idna@3.10",
+      "purl": "pkg:pypi/idna@3.11",
       "type": "library",
-      "version": "3.10"
+      "version": "3.11"
     },
     {
       "bom-ref": "importlib_resources==6.4.5",
@@ -312,7 +317,7 @@
       "version": "3.0.0"
     },
     {
-      "bom-ref": "jsonschema==4.23.0",
+      "bom-ref": "jsonschema==4.25.1",
       "description": "An implementation of JSON Schema validation for Python",
       "externalReferences": [
         {
@@ -362,12 +367,12 @@
       "properties": [
         {
           "name": "cdx:python:package:required-extra",
-          "value": "format"
+          "value": "format-nongpl"
         }
       ],
-      "purl": "pkg:pypi/jsonschema@4.23.0",
+      "purl": "pkg:pypi/jsonschema@4.25.1",
       "type": "library",
-      "version": "4.23.0"
+      "version": "4.25.1"
     },
     {
       "bom-ref": "jsonschema-specifications==2023.3.6",
@@ -412,7 +417,34 @@
       "version": "2023.3.6"
     },
     {
-      "bom-ref": "license-expression==30.3.1",
+      "bom-ref": "lark==1.3.0",
+      "description": "a modern parsing library",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Download",
+          "type": "distribution",
+          "url": "https://github.com/lark-parser/lark/tarball/master"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
+          "type": "website",
+          "url": "https://github.com/lark-parser/lark"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "lark",
+      "purl": "pkg:pypi/lark@1.3.0",
+      "type": "library",
+      "version": "1.3.0"
+    },
+    {
+      "bom-ref": "license-expression==30.4.4",
       "description": "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.",
       "externalReferences": [
         {
@@ -429,14 +461,19 @@
         }
       ],
       "name": "license-expression",
-      "purl": "pkg:pypi/license-expression@30.3.1",
+      "purl": "pkg:pypi/license-expression@30.4.4",
       "type": "library",
-      "version": "30.3.1"
+      "version": "30.4.4"
     },
     {
-      "bom-ref": "lxml==5.3.0",
+      "bom-ref": "lxml==6.0.2",
       "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
       "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://bugs.launchpad.net/lxml"
+        },
         {
           "comment": "from packaging metadata Project-URL: Source",
           "type": "other",
@@ -453,20 +490,15 @@
           "license": {
             "id": "BSD-3-Clause"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
         }
       ],
       "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
+      "purl": "pkg:pypi/lxml@6.0.2",
       "type": "library",
-      "version": "5.3.0"
+      "version": "6.0.2"
     },
     {
-      "bom-ref": "packageurl-python==0.16.0",
+      "bom-ref": "packageurl-python==0.17.5",
       "description": "A purl aka. Package URL parser and builder",
       "externalReferences": [
         {
@@ -483,9 +515,9 @@
         }
       ],
       "name": "packageurl-python",
-      "purl": "pkg:pypi/packageurl-python@0.16.0",
+      "purl": "pkg:pypi/packageurl-python@0.17.5",
       "type": "library",
-      "version": "0.16.0"
+      "version": "0.17.5"
     },
     {
       "bom-ref": "pkgutil_resolve_name==1.3.10",
@@ -510,7 +542,7 @@
       "version": "1.3.10"
     },
     {
-      "bom-ref": "py-serializable==1.1.2",
+      "bom-ref": "py-serializable==2.1.0",
       "description": "Library for serializing and deserializing Python Objects to and from JSON and XML.",
       "externalReferences": [
         {
@@ -529,7 +561,7 @@
           "url": "https://github.com/madpah/serializable"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/madpah/serializable#readme"
         }
@@ -547,9 +579,9 @@
         }
       ],
       "name": "py-serializable",
-      "purl": "pkg:pypi/py-serializable@1.1.2",
+      "purl": "pkg:pypi/py-serializable@2.1.0",
       "type": "library",
-      "version": "1.1.2"
+      "version": "2.1.0"
     },
     {
       "bom-ref": "python-dateutil==2.9.0.post0",
@@ -589,7 +621,7 @@
       "version": "2.9.0.post0"
     },
     {
-      "bom-ref": "referencing==0.35.1",
+      "bom-ref": "referencing==0.37.0",
       "description": "JSON Referencing + Python",
       "externalReferences": [
         {
@@ -636,9 +668,9 @@
         }
       ],
       "name": "referencing",
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.37.0",
       "type": "library",
-      "version": "0.35.1"
+      "version": "0.37.0"
     },
     {
       "bom-ref": "rfc3339-validator==0.1.4",
@@ -663,34 +695,66 @@
       "version": "0.1.4"
     },
     {
-      "bom-ref": "rfc3987==1.3.8",
-      "description": "Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)",
+      "bom-ref": "rfc3986-validator==0.1.1",
+      "description": "Pure python rfc3986 validator",
       "externalReferences": [
         {
-          "comment": "from packaging metadata: Download-URL",
-          "type": "distribution",
-          "url": "https://github.com/dgerber/rfc3987"
+          "comment": "from packaging metadata: Home-page",
+          "type": "website",
+          "url": "https://github.com/naimetti/rfc3986-validator"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "rfc3986-validator",
+      "purl": "pkg:pypi/rfc3986-validator@0.1.1",
+      "type": "library",
+      "version": "0.1.1"
+    },
+    {
+      "bom-ref": "rfc3987-syntax==1.1.0",
+      "description": "Helper functions to syntactically validate strings according to RFC 3987.",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://github.com/willynilly/rfc3987-syntax#readme"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Issues",
+          "type": "issue-tracker",
+          "url": "https://github.com/willynilly/rfc3987-syntax/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Source",
+          "type": "other",
+          "url": "https://github.com/willynilly/rfc3987-syntax"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
-          "url": "http://pypi.python.org/pypi/rfc3987"
+          "url": "https://github.com/willynilly/rfc3987-syntax"
         }
       ],
       "licenses": [
         {
           "license": {
-            "id": "GPL-3.0-or-later"
+            "id": "MIT"
           }
         }
       ],
-      "name": "rfc3987",
-      "purl": "pkg:pypi/rfc3987@1.3.8",
+      "name": "rfc3987-syntax",
+      "purl": "pkg:pypi/rfc3987-syntax@1.1.0",
       "type": "library",
-      "version": "1.3.8"
+      "version": "1.1.0"
     },
     {
-      "bom-ref": "rpds-py==0.20.0",
+      "bom-ref": "rpds-py==0.27.1",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "externalReferences": [
         {
@@ -708,6 +772,11 @@
           "type": "other",
           "url": "https://github.com/crate-py/rpds"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Upstream",
+          "type": "other",
+          "url": "https://github.com/orium/rpds"
+        },
         {
           "comment": "from packaging metadata Project-URL: Funding",
           "type": "other",
@@ -732,12 +801,12 @@
         }
       ],
       "name": "rpds-py",
-      "purl": "pkg:pypi/rpds-py@0.20.0",
+      "purl": "pkg:pypi/rpds-py@0.27.1",
       "type": "library",
-      "version": "0.20.0"
+      "version": "0.27.1"
     },
     {
-      "bom-ref": "six==1.16.0",
+      "bom-ref": "six==1.17.0",
       "description": "Python 2 and 3 compatibility utilities",
       "externalReferences": [
         {
@@ -754,9 +823,9 @@
         }
       ],
       "name": "six",
-      "purl": "pkg:pypi/six@1.16.0",
+      "purl": "pkg:pypi/six@1.17.0",
       "type": "library",
-      "version": "1.16.0"
+      "version": "1.17.0"
     },
     {
       "bom-ref": "sortedcontainers==2.4.0",
@@ -781,7 +850,7 @@
       "version": "2.4.0"
     },
     {
-      "bom-ref": "types-python-dateutil==2.9.0.20241003",
+      "bom-ref": "types-python-dateutil==2.9.0.20251008",
       "description": "Typing stubs for python-dateutil",
       "externalReferences": [
         {
@@ -805,7 +874,7 @@
           "url": "https://github.com/python/typeshed"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/python/typeshed"
         }
@@ -815,17 +884,12 @@
           "license": {
             "id": "Apache-2.0"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: Apache Software License"
-          }
         }
       ],
       "name": "types-python-dateutil",
-      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20241003",
+      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20251008",
       "type": "library",
-      "version": "2.9.0.20241003"
+      "version": "2.9.0.20251008"
     },
     {
       "bom-ref": "uri-template==1.3.0",
@@ -850,17 +914,17 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "webcolors==24.8.0",
+      "bom-ref": "webcolors==24.11.1",
       "description": "A library for working with the color formats defined by HTML and CSS.",
       "externalReferences": [
         {
-          "comment": "from packaging metadata Project-URL: documentation",
+          "comment": "from packaging metadata Project-URL: Documentation",
           "type": "documentation",
           "url": "https://webcolors.readthedocs.io"
         },
         {
-          "comment": "from packaging metadata Project-URL: homepage",
-          "type": "website",
+          "comment": "from packaging metadata Project-URL: Source Code",
+          "type": "other",
           "url": "https://github.com/ubernostrum/webcolors"
         }
       ],
@@ -877,9 +941,9 @@
         }
       ],
       "name": "webcolors",
-      "purl": "pkg:pypi/webcolors@24.8.0",
+      "purl": "pkg:pypi/webcolors@24.11.1",
       "type": "library",
-      "version": "24.8.0"
+      "version": "24.11.1"
     },
     {
       "bom-ref": "zipp==3.20.2",
@@ -908,26 +972,27 @@
     {
       "dependsOn": [
         "python-dateutil==2.9.0.post0",
-        "types-python-dateutil==2.9.0.20241003"
+        "types-python-dateutil==2.9.0.20251008"
       ],
       "ref": "arrow==1.3.0"
     },
     {
-      "ref": "attrs==24.2.0"
+      "ref": "attrs==25.4.0"
     },
     {
-      "ref": "boolean.py==4.0"
+      "ref": "boolean.py==5.0"
     },
     {
       "dependsOn": [
-        "jsonschema==4.23.0",
-        "license-expression==30.3.1",
-        "lxml==5.3.0",
-        "packageurl-python==0.16.0",
-        "py-serializable==1.1.2",
+        "jsonschema==4.25.1",
+        "license-expression==30.4.4",
+        "lxml==6.0.2",
+        "packageurl-python==0.17.5",
+        "py-serializable==2.1.0",
+        "referencing==0.37.0",
         "sortedcontainers==2.4.0"
       ],
-      "ref": "cyclonedx-python-lib==8.2.0"
+      "ref": "cyclonedx-python-lib==11.2.0"
     },
     {
       "ref": "defusedxml==0.7.1"
@@ -936,7 +1001,7 @@
       "ref": "fqdn==1.5.1"
     },
     {
-      "ref": "idna==3.10"
+      "ref": "idna==3.11"
     },
     {
       "dependsOn": [
@@ -956,40 +1021,42 @@
     {
       "dependsOn": [
         "importlib_resources==6.4.5",
-        "referencing==0.35.1"
+        "referencing==0.37.0"
       ],
       "ref": "jsonschema-specifications==2023.3.6"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
+        "attrs==25.4.0",
         "fqdn==1.5.1",
-        "idna==3.10",
-        "importlib_resources==6.4.5",
+        "idna==3.11",
         "isoduration==20.11.0",
         "jsonpointer==3.0.0",
         "jsonschema-specifications==2023.3.6",
-        "pkgutil_resolve_name==1.3.10",
-        "referencing==0.35.1",
+        "referencing==0.37.0",
         "rfc3339-validator==0.1.4",
-        "rfc3987==1.3.8",
-        "rpds-py==0.20.0",
+        "rfc3986-validator==0.1.1",
+        "rfc3987-syntax==1.1.0",
+        "rpds-py==0.27.1",
         "uri-template==1.3.0",
-        "webcolors==24.8.0"
+        "webcolors==24.11.1"
       ],
-      "ref": "jsonschema==4.23.0"
+      "ref": "jsonschema==4.25.1"
+    },
+    {
+      "ref": "lark==1.3.0"
     },
     {
       "dependsOn": [
-        "boolean.py==4.0"
+        "boolean.py==5.0"
       ],
-      "ref": "license-expression==30.3.1"
+      "ref": "license-expression==30.4.4"
     },
     {
-      "ref": "lxml==5.3.0"
+      "ref": "lxml==6.0.2"
     },
     {
-      "ref": "packageurl-python==0.16.0"
+      "ref": "packageurl-python==0.17.5"
     },
     {
       "ref": "pkgutil_resolve_name==1.3.10"
@@ -998,53 +1065,59 @@
       "dependsOn": [
         "defusedxml==0.7.1"
       ],
-      "ref": "py-serializable==1.1.2"
+      "ref": "py-serializable==2.1.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "python-dateutil==2.9.0.post0"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
-        "rpds-py==0.20.0"
+        "attrs==25.4.0",
+        "rpds-py==0.27.1"
       ],
-      "ref": "referencing==0.35.1"
+      "ref": "referencing==0.37.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "rfc3339-validator==0.1.4"
     },
     {
-      "ref": "rfc3987==1.3.8"
+      "ref": "rfc3986-validator==0.1.1"
+    },
+    {
+      "dependsOn": [
+        "lark==1.3.0"
+      ],
+      "ref": "rfc3987-syntax==1.1.0"
     },
     {
       "dependsOn": [
-        "cyclonedx-python-lib==8.2.0"
+        "cyclonedx-python-lib==11.2.0"
       ],
       "ref": "root-component"
     },
     {
-      "ref": "rpds-py==0.20.0"
+      "ref": "rpds-py==0.27.1"
     },
     {
-      "ref": "six==1.16.0"
+      "ref": "six==1.17.0"
     },
     {
       "ref": "sortedcontainers==2.4.0"
     },
     {
-      "ref": "types-python-dateutil==2.9.0.20241003"
+      "ref": "types-python-dateutil==2.9.0.20251008"
     },
     {
       "ref": "uri-template==1.3.0"
     },
     {
-      "ref": "webcolors==24.8.0"
+      "ref": "webcolors==24.11.1"
     },
     {
       "dependsOn": [
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
index 4f7eb1af..acf7532a 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
@@ -48,16 +48,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -81,16 +81,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license>
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -98,9 +98,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license>
@@ -110,7 +110,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -124,13 +124,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
       <properties>
@@ -175,16 +179,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license>
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -263,16 +267,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -304,7 +308,7 @@
         </reference>
       </externalReferences>
       <properties>
-        <property name="cdx:python:package:required-extra">format</property>
+        <property name="cdx:python:package:required-extra">format-nongpl</property>
       </properties>
     </component>
     <component type="library" bom-ref="jsonschema-specifications==2023.3.6">
@@ -340,16 +344,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -357,20 +382,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license>
           <id>BSD-3-Clause</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -381,16 +407,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -415,9 +441,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license>
@@ -427,7 +453,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -443,7 +469,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -475,16 +501,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -533,37 +559,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license>
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -577,6 +628,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -591,16 +646,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -625,19 +680,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -657,7 +709,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -678,9 +730,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license>
@@ -690,15 +742,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
@@ -723,21 +775,22 @@
   <dependencies>
     <dependency ref="arrow==1.3.0">
       <dependency ref="python-dateutil==2.9.0.post0"/>
-      <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+      <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     </dependency>
-    <dependency ref="attrs==24.2.0"/>
-    <dependency ref="boolean.py==4.0"/>
-    <dependency ref="cyclonedx-python-lib==8.2.0">
-      <dependency ref="jsonschema==4.23.0"/>
-      <dependency ref="license-expression==30.3.1"/>
-      <dependency ref="lxml==5.3.0"/>
-      <dependency ref="packageurl-python==0.16.0"/>
-      <dependency ref="py-serializable==1.1.2"/>
+    <dependency ref="attrs==25.4.0"/>
+    <dependency ref="boolean.py==5.0"/>
+    <dependency ref="cyclonedx-python-lib==11.2.0">
+      <dependency ref="jsonschema==4.25.1"/>
+      <dependency ref="license-expression==30.4.4"/>
+      <dependency ref="lxml==6.0.2"/>
+      <dependency ref="packageurl-python==0.17.5"/>
+      <dependency ref="py-serializable==2.1.0"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
-    <dependency ref="idna==3.10"/>
+    <dependency ref="idna==3.11"/>
     <dependency ref="importlib_resources==6.4.5">
       <dependency ref="zipp==3.20.2"/>
     </dependency>
@@ -747,53 +800,56 @@
     <dependency ref="jsonpointer==3.0.0"/>
     <dependency ref="jsonschema-specifications==2023.3.6">
       <dependency ref="importlib_resources==6.4.5"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
     </dependency>
-    <dependency ref="jsonschema==4.23.0">
-      <dependency ref="attrs==24.2.0"/>
+    <dependency ref="jsonschema==4.25.1">
+      <dependency ref="attrs==25.4.0"/>
       <dependency ref="fqdn==1.5.1"/>
-      <dependency ref="idna==3.10"/>
-      <dependency ref="importlib_resources==6.4.5"/>
+      <dependency ref="idna==3.11"/>
       <dependency ref="isoduration==20.11.0"/>
       <dependency ref="jsonpointer==3.0.0"/>
       <dependency ref="jsonschema-specifications==2023.3.6"/>
-      <dependency ref="pkgutil_resolve_name==1.3.10"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="rfc3339-validator==0.1.4"/>
-      <dependency ref="rfc3987==1.3.8"/>
-      <dependency ref="rpds-py==0.20.0"/>
+      <dependency ref="rfc3986-validator==0.1.1"/>
+      <dependency ref="rfc3987-syntax==1.1.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
       <dependency ref="uri-template==1.3.0"/>
-      <dependency ref="webcolors==24.8.0"/>
+      <dependency ref="webcolors==24.11.1"/>
     </dependency>
-    <dependency ref="license-expression==30.3.1">
-      <dependency ref="boolean.py==4.0"/>
+    <dependency ref="lark==1.3.0"/>
+    <dependency ref="license-expression==30.4.4">
+      <dependency ref="boolean.py==5.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
-    <dependency ref="packageurl-python==0.16.0"/>
+    <dependency ref="lxml==6.0.2"/>
+    <dependency ref="packageurl-python==0.17.5"/>
     <dependency ref="pkgutil_resolve_name==1.3.10"/>
-    <dependency ref="py-serializable==1.1.2">
+    <dependency ref="py-serializable==2.1.0">
       <dependency ref="defusedxml==0.7.1"/>
     </dependency>
     <dependency ref="python-dateutil==2.9.0.post0">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
     </dependency>
-    <dependency ref="referencing==0.35.1">
-      <dependency ref="attrs==24.2.0"/>
-      <dependency ref="rpds-py==0.20.0"/>
+    <dependency ref="referencing==0.37.0">
+      <dependency ref="attrs==25.4.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
+    </dependency>
+    <dependency ref="rfc3986-validator==0.1.1"/>
+    <dependency ref="rfc3987-syntax==1.1.0">
+      <dependency ref="lark==1.3.0"/>
     </dependency>
-    <dependency ref="rfc3987==1.3.8"/>
     <dependency ref="root-component">
-      <dependency ref="cyclonedx-python-lib==8.2.0"/>
+      <dependency ref="cyclonedx-python-lib==11.2.0"/>
     </dependency>
-    <dependency ref="rpds-py==0.20.0"/>
-    <dependency ref="six==1.16.0"/>
+    <dependency ref="rpds-py==0.27.1"/>
+    <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
-    <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+    <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     <dependency ref="uri-template==1.3.0"/>
-    <dependency ref="webcolors==24.8.0"/>
+    <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
       <dependency ref="importlib_resources==6.4.5"/>
     </dependency>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
index e01cccf4..77f811b8 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
@@ -33,7 +33,7 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "attrs==24.2.0",
+      "bom-ref": "attrs==25.4.0",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
@@ -70,12 +70,12 @@
         }
       ],
       "name": "attrs",
-      "purl": "pkg:pypi/attrs@24.2.0",
+      "purl": "pkg:pypi/attrs@25.4.0",
       "type": "library",
-      "version": "24.2.0"
+      "version": "25.4.0"
     },
     {
-      "bom-ref": "boolean.py==4.0",
+      "bom-ref": "boolean.py==5.0",
       "description": "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.",
       "externalReferences": [
         {
@@ -92,12 +92,12 @@
         }
       ],
       "name": "boolean.py",
-      "purl": "pkg:pypi/boolean.py@4.0",
+      "purl": "pkg:pypi/boolean.py@5.0",
       "type": "library",
-      "version": "4.0"
+      "version": "5.0"
     },
     {
-      "bom-ref": "cyclonedx-python-lib==8.2.0",
+      "bom-ref": "cyclonedx-python-lib==11.2.0",
       "description": "Python library for CycloneDX",
       "externalReferences": [
         {
@@ -115,13 +115,18 @@
           "type": "other",
           "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Changelog",
+          "type": "release-notes",
+          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/releases"
+        },
         {
           "comment": "from packaging metadata Project-URL: Repository",
           "type": "vcs",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
         }
@@ -145,9 +150,9 @@
           "value": "xml-validation"
         }
       ],
-      "purl": "pkg:pypi/cyclonedx-python-lib@8.2.0",
+      "purl": "pkg:pypi/cyclonedx-python-lib@11.2.0",
       "type": "library",
-      "version": "8.2.0"
+      "version": "11.2.0"
     },
     {
       "bom-ref": "defusedxml==0.7.1",
@@ -199,7 +204,7 @@
       "version": "1.5.1"
     },
     {
-      "bom-ref": "idna==3.10",
+      "bom-ref": "idna==3.11",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
@@ -221,14 +226,14 @@
       "licenses": [
         {
           "license": {
-            "name": "License :: OSI Approved :: BSD License"
+            "id": "BSD-3-Clause"
           }
         }
       ],
       "name": "idna",
-      "purl": "pkg:pypi/idna@3.10",
+      "purl": "pkg:pypi/idna@3.11",
       "type": "library",
-      "version": "3.10"
+      "version": "3.11"
     },
     {
       "bom-ref": "importlib_resources==6.4.5",
@@ -312,7 +317,7 @@
       "version": "3.0.0"
     },
     {
-      "bom-ref": "jsonschema==4.23.0",
+      "bom-ref": "jsonschema==4.25.1",
       "description": "An implementation of JSON Schema validation for Python",
       "externalReferences": [
         {
@@ -362,12 +367,12 @@
       "properties": [
         {
           "name": "cdx:python:package:required-extra",
-          "value": "format"
+          "value": "format-nongpl"
         }
       ],
-      "purl": "pkg:pypi/jsonschema@4.23.0",
+      "purl": "pkg:pypi/jsonschema@4.25.1",
       "type": "library",
-      "version": "4.23.0"
+      "version": "4.25.1"
     },
     {
       "bom-ref": "jsonschema-specifications==2023.3.6",
@@ -412,7 +417,34 @@
       "version": "2023.3.6"
     },
     {
-      "bom-ref": "license-expression==30.3.1",
+      "bom-ref": "lark==1.3.0",
+      "description": "a modern parsing library",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Download",
+          "type": "distribution",
+          "url": "https://github.com/lark-parser/lark/tarball/master"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
+          "type": "website",
+          "url": "https://github.com/lark-parser/lark"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "lark",
+      "purl": "pkg:pypi/lark@1.3.0",
+      "type": "library",
+      "version": "1.3.0"
+    },
+    {
+      "bom-ref": "license-expression==30.4.4",
       "description": "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.",
       "externalReferences": [
         {
@@ -429,14 +461,19 @@
         }
       ],
       "name": "license-expression",
-      "purl": "pkg:pypi/license-expression@30.3.1",
+      "purl": "pkg:pypi/license-expression@30.4.4",
       "type": "library",
-      "version": "30.3.1"
+      "version": "30.4.4"
     },
     {
-      "bom-ref": "lxml==5.3.0",
+      "bom-ref": "lxml==6.0.2",
       "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
       "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://bugs.launchpad.net/lxml"
+        },
         {
           "comment": "from packaging metadata Project-URL: Source",
           "type": "other",
@@ -453,20 +490,15 @@
           "license": {
             "id": "BSD-3-Clause"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
         }
       ],
       "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
+      "purl": "pkg:pypi/lxml@6.0.2",
       "type": "library",
-      "version": "5.3.0"
+      "version": "6.0.2"
     },
     {
-      "bom-ref": "packageurl-python==0.16.0",
+      "bom-ref": "packageurl-python==0.17.5",
       "description": "A purl aka. Package URL parser and builder",
       "externalReferences": [
         {
@@ -483,9 +515,9 @@
         }
       ],
       "name": "packageurl-python",
-      "purl": "pkg:pypi/packageurl-python@0.16.0",
+      "purl": "pkg:pypi/packageurl-python@0.17.5",
       "type": "library",
-      "version": "0.16.0"
+      "version": "0.17.5"
     },
     {
       "bom-ref": "pkgutil_resolve_name==1.3.10",
@@ -510,7 +542,7 @@
       "version": "1.3.10"
     },
     {
-      "bom-ref": "py-serializable==1.1.2",
+      "bom-ref": "py-serializable==2.1.0",
       "description": "Library for serializing and deserializing Python Objects to and from JSON and XML.",
       "externalReferences": [
         {
@@ -529,7 +561,7 @@
           "url": "https://github.com/madpah/serializable"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/madpah/serializable#readme"
         }
@@ -547,9 +579,9 @@
         }
       ],
       "name": "py-serializable",
-      "purl": "pkg:pypi/py-serializable@1.1.2",
+      "purl": "pkg:pypi/py-serializable@2.1.0",
       "type": "library",
-      "version": "1.1.2"
+      "version": "2.1.0"
     },
     {
       "bom-ref": "python-dateutil==2.9.0.post0",
@@ -589,7 +621,7 @@
       "version": "2.9.0.post0"
     },
     {
-      "bom-ref": "referencing==0.35.1",
+      "bom-ref": "referencing==0.37.0",
       "description": "JSON Referencing + Python",
       "externalReferences": [
         {
@@ -636,9 +668,9 @@
         }
       ],
       "name": "referencing",
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.37.0",
       "type": "library",
-      "version": "0.35.1"
+      "version": "0.37.0"
     },
     {
       "bom-ref": "rfc3339-validator==0.1.4",
@@ -663,34 +695,66 @@
       "version": "0.1.4"
     },
     {
-      "bom-ref": "rfc3987==1.3.8",
-      "description": "Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)",
+      "bom-ref": "rfc3986-validator==0.1.1",
+      "description": "Pure python rfc3986 validator",
       "externalReferences": [
         {
-          "comment": "from packaging metadata: Download-URL",
-          "type": "distribution",
-          "url": "https://github.com/dgerber/rfc3987"
+          "comment": "from packaging metadata: Home-page",
+          "type": "website",
+          "url": "https://github.com/naimetti/rfc3986-validator"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "rfc3986-validator",
+      "purl": "pkg:pypi/rfc3986-validator@0.1.1",
+      "type": "library",
+      "version": "0.1.1"
+    },
+    {
+      "bom-ref": "rfc3987-syntax==1.1.0",
+      "description": "Helper functions to syntactically validate strings according to RFC 3987.",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://github.com/willynilly/rfc3987-syntax#readme"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Issues",
+          "type": "issue-tracker",
+          "url": "https://github.com/willynilly/rfc3987-syntax/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Source",
+          "type": "other",
+          "url": "https://github.com/willynilly/rfc3987-syntax"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
-          "url": "http://pypi.python.org/pypi/rfc3987"
+          "url": "https://github.com/willynilly/rfc3987-syntax"
         }
       ],
       "licenses": [
         {
           "license": {
-            "id": "GPL-3.0-or-later"
+            "id": "MIT"
           }
         }
       ],
-      "name": "rfc3987",
-      "purl": "pkg:pypi/rfc3987@1.3.8",
+      "name": "rfc3987-syntax",
+      "purl": "pkg:pypi/rfc3987-syntax@1.1.0",
       "type": "library",
-      "version": "1.3.8"
+      "version": "1.1.0"
     },
     {
-      "bom-ref": "rpds-py==0.20.0",
+      "bom-ref": "rpds-py==0.27.1",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "externalReferences": [
         {
@@ -708,6 +772,11 @@
           "type": "other",
           "url": "https://github.com/crate-py/rpds"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Upstream",
+          "type": "other",
+          "url": "https://github.com/orium/rpds"
+        },
         {
           "comment": "from packaging metadata Project-URL: Funding",
           "type": "other",
@@ -732,12 +801,12 @@
         }
       ],
       "name": "rpds-py",
-      "purl": "pkg:pypi/rpds-py@0.20.0",
+      "purl": "pkg:pypi/rpds-py@0.27.1",
       "type": "library",
-      "version": "0.20.0"
+      "version": "0.27.1"
     },
     {
-      "bom-ref": "six==1.16.0",
+      "bom-ref": "six==1.17.0",
       "description": "Python 2 and 3 compatibility utilities",
       "externalReferences": [
         {
@@ -754,9 +823,9 @@
         }
       ],
       "name": "six",
-      "purl": "pkg:pypi/six@1.16.0",
+      "purl": "pkg:pypi/six@1.17.0",
       "type": "library",
-      "version": "1.16.0"
+      "version": "1.17.0"
     },
     {
       "bom-ref": "sortedcontainers==2.4.0",
@@ -781,7 +850,7 @@
       "version": "2.4.0"
     },
     {
-      "bom-ref": "types-python-dateutil==2.9.0.20241003",
+      "bom-ref": "types-python-dateutil==2.9.0.20251008",
       "description": "Typing stubs for python-dateutil",
       "externalReferences": [
         {
@@ -805,7 +874,7 @@
           "url": "https://github.com/python/typeshed"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/python/typeshed"
         }
@@ -815,17 +884,12 @@
           "license": {
             "id": "Apache-2.0"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: Apache Software License"
-          }
         }
       ],
       "name": "types-python-dateutil",
-      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20241003",
+      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20251008",
       "type": "library",
-      "version": "2.9.0.20241003"
+      "version": "2.9.0.20251008"
     },
     {
       "bom-ref": "uri-template==1.3.0",
@@ -850,17 +914,17 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "webcolors==24.8.0",
+      "bom-ref": "webcolors==24.11.1",
       "description": "A library for working with the color formats defined by HTML and CSS.",
       "externalReferences": [
         {
-          "comment": "from packaging metadata Project-URL: documentation",
+          "comment": "from packaging metadata Project-URL: Documentation",
           "type": "documentation",
           "url": "https://webcolors.readthedocs.io"
         },
         {
-          "comment": "from packaging metadata Project-URL: homepage",
-          "type": "website",
+          "comment": "from packaging metadata Project-URL: Source Code",
+          "type": "other",
           "url": "https://github.com/ubernostrum/webcolors"
         }
       ],
@@ -877,9 +941,9 @@
         }
       ],
       "name": "webcolors",
-      "purl": "pkg:pypi/webcolors@24.8.0",
+      "purl": "pkg:pypi/webcolors@24.11.1",
       "type": "library",
-      "version": "24.8.0"
+      "version": "24.11.1"
     },
     {
       "bom-ref": "zipp==3.20.2",
@@ -908,26 +972,27 @@
     {
       "dependsOn": [
         "python-dateutil==2.9.0.post0",
-        "types-python-dateutil==2.9.0.20241003"
+        "types-python-dateutil==2.9.0.20251008"
       ],
       "ref": "arrow==1.3.0"
     },
     {
-      "ref": "attrs==24.2.0"
+      "ref": "attrs==25.4.0"
     },
     {
-      "ref": "boolean.py==4.0"
+      "ref": "boolean.py==5.0"
     },
     {
       "dependsOn": [
-        "jsonschema==4.23.0",
-        "license-expression==30.3.1",
-        "lxml==5.3.0",
-        "packageurl-python==0.16.0",
-        "py-serializable==1.1.2",
+        "jsonschema==4.25.1",
+        "license-expression==30.4.4",
+        "lxml==6.0.2",
+        "packageurl-python==0.17.5",
+        "py-serializable==2.1.0",
+        "referencing==0.37.0",
         "sortedcontainers==2.4.0"
       ],
-      "ref": "cyclonedx-python-lib==8.2.0"
+      "ref": "cyclonedx-python-lib==11.2.0"
     },
     {
       "ref": "defusedxml==0.7.1"
@@ -936,7 +1001,7 @@
       "ref": "fqdn==1.5.1"
     },
     {
-      "ref": "idna==3.10"
+      "ref": "idna==3.11"
     },
     {
       "dependsOn": [
@@ -956,40 +1021,42 @@
     {
       "dependsOn": [
         "importlib_resources==6.4.5",
-        "referencing==0.35.1"
+        "referencing==0.37.0"
       ],
       "ref": "jsonschema-specifications==2023.3.6"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
+        "attrs==25.4.0",
         "fqdn==1.5.1",
-        "idna==3.10",
-        "importlib_resources==6.4.5",
+        "idna==3.11",
         "isoduration==20.11.0",
         "jsonpointer==3.0.0",
         "jsonschema-specifications==2023.3.6",
-        "pkgutil_resolve_name==1.3.10",
-        "referencing==0.35.1",
+        "referencing==0.37.0",
         "rfc3339-validator==0.1.4",
-        "rfc3987==1.3.8",
-        "rpds-py==0.20.0",
+        "rfc3986-validator==0.1.1",
+        "rfc3987-syntax==1.1.0",
+        "rpds-py==0.27.1",
         "uri-template==1.3.0",
-        "webcolors==24.8.0"
+        "webcolors==24.11.1"
       ],
-      "ref": "jsonschema==4.23.0"
+      "ref": "jsonschema==4.25.1"
+    },
+    {
+      "ref": "lark==1.3.0"
     },
     {
       "dependsOn": [
-        "boolean.py==4.0"
+        "boolean.py==5.0"
       ],
-      "ref": "license-expression==30.3.1"
+      "ref": "license-expression==30.4.4"
     },
     {
-      "ref": "lxml==5.3.0"
+      "ref": "lxml==6.0.2"
     },
     {
-      "ref": "packageurl-python==0.16.0"
+      "ref": "packageurl-python==0.17.5"
     },
     {
       "ref": "pkgutil_resolve_name==1.3.10"
@@ -998,53 +1065,59 @@
       "dependsOn": [
         "defusedxml==0.7.1"
       ],
-      "ref": "py-serializable==1.1.2"
+      "ref": "py-serializable==2.1.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "python-dateutil==2.9.0.post0"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
-        "rpds-py==0.20.0"
+        "attrs==25.4.0",
+        "rpds-py==0.27.1"
       ],
-      "ref": "referencing==0.35.1"
+      "ref": "referencing==0.37.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "rfc3339-validator==0.1.4"
     },
     {
-      "ref": "rfc3987==1.3.8"
+      "ref": "rfc3986-validator==0.1.1"
+    },
+    {
+      "dependsOn": [
+        "lark==1.3.0"
+      ],
+      "ref": "rfc3987-syntax==1.1.0"
     },
     {
       "dependsOn": [
-        "cyclonedx-python-lib==8.2.0"
+        "cyclonedx-python-lib==11.2.0"
       ],
       "ref": "root-component"
     },
     {
-      "ref": "rpds-py==0.20.0"
+      "ref": "rpds-py==0.27.1"
     },
     {
-      "ref": "six==1.16.0"
+      "ref": "six==1.17.0"
     },
     {
       "ref": "sortedcontainers==2.4.0"
     },
     {
-      "ref": "types-python-dateutil==2.9.0.20241003"
+      "ref": "types-python-dateutil==2.9.0.20251008"
     },
     {
       "ref": "uri-template==1.3.0"
     },
     {
-      "ref": "webcolors==24.8.0"
+      "ref": "webcolors==24.11.1"
     },
     {
       "dependsOn": [
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
index d6f2a8ec..24019cad 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
@@ -75,16 +75,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -108,16 +108,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license>
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -125,9 +125,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license>
@@ -137,7 +137,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -151,13 +151,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="release-notes">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
       <properties>
@@ -202,16 +206,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license>
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -290,16 +294,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -331,7 +335,7 @@
         </reference>
       </externalReferences>
       <properties>
-        <property name="cdx:python:package:required-extra">format</property>
+        <property name="cdx:python:package:required-extra">format-nongpl</property>
       </properties>
     </component>
     <component type="library" bom-ref="jsonschema-specifications==2023.3.6">
@@ -367,16 +371,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -384,20 +409,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license>
           <id>BSD-3-Clause</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -408,16 +434,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -442,9 +468,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license>
@@ -454,7 +480,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -470,7 +496,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -502,16 +528,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -560,37 +586,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license>
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -604,6 +655,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -618,16 +673,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -652,19 +707,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -684,7 +736,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -705,9 +757,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license>
@@ -717,15 +769,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
@@ -750,21 +802,22 @@
   <dependencies>
     <dependency ref="arrow==1.3.0">
       <dependency ref="python-dateutil==2.9.0.post0"/>
-      <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+      <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     </dependency>
-    <dependency ref="attrs==24.2.0"/>
-    <dependency ref="boolean.py==4.0"/>
-    <dependency ref="cyclonedx-python-lib==8.2.0">
-      <dependency ref="jsonschema==4.23.0"/>
-      <dependency ref="license-expression==30.3.1"/>
-      <dependency ref="lxml==5.3.0"/>
-      <dependency ref="packageurl-python==0.16.0"/>
-      <dependency ref="py-serializable==1.1.2"/>
+    <dependency ref="attrs==25.4.0"/>
+    <dependency ref="boolean.py==5.0"/>
+    <dependency ref="cyclonedx-python-lib==11.2.0">
+      <dependency ref="jsonschema==4.25.1"/>
+      <dependency ref="license-expression==30.4.4"/>
+      <dependency ref="lxml==6.0.2"/>
+      <dependency ref="packageurl-python==0.17.5"/>
+      <dependency ref="py-serializable==2.1.0"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
-    <dependency ref="idna==3.10"/>
+    <dependency ref="idna==3.11"/>
     <dependency ref="importlib_resources==6.4.5">
       <dependency ref="zipp==3.20.2"/>
     </dependency>
@@ -774,53 +827,56 @@
     <dependency ref="jsonpointer==3.0.0"/>
     <dependency ref="jsonschema-specifications==2023.3.6">
       <dependency ref="importlib_resources==6.4.5"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
     </dependency>
-    <dependency ref="jsonschema==4.23.0">
-      <dependency ref="attrs==24.2.0"/>
+    <dependency ref="jsonschema==4.25.1">
+      <dependency ref="attrs==25.4.0"/>
       <dependency ref="fqdn==1.5.1"/>
-      <dependency ref="idna==3.10"/>
-      <dependency ref="importlib_resources==6.4.5"/>
+      <dependency ref="idna==3.11"/>
       <dependency ref="isoduration==20.11.0"/>
       <dependency ref="jsonpointer==3.0.0"/>
       <dependency ref="jsonschema-specifications==2023.3.6"/>
-      <dependency ref="pkgutil_resolve_name==1.3.10"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="rfc3339-validator==0.1.4"/>
-      <dependency ref="rfc3987==1.3.8"/>
-      <dependency ref="rpds-py==0.20.0"/>
+      <dependency ref="rfc3986-validator==0.1.1"/>
+      <dependency ref="rfc3987-syntax==1.1.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
       <dependency ref="uri-template==1.3.0"/>
-      <dependency ref="webcolors==24.8.0"/>
+      <dependency ref="webcolors==24.11.1"/>
     </dependency>
-    <dependency ref="license-expression==30.3.1">
-      <dependency ref="boolean.py==4.0"/>
+    <dependency ref="lark==1.3.0"/>
+    <dependency ref="license-expression==30.4.4">
+      <dependency ref="boolean.py==5.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
-    <dependency ref="packageurl-python==0.16.0"/>
+    <dependency ref="lxml==6.0.2"/>
+    <dependency ref="packageurl-python==0.17.5"/>
     <dependency ref="pkgutil_resolve_name==1.3.10"/>
-    <dependency ref="py-serializable==1.1.2">
+    <dependency ref="py-serializable==2.1.0">
       <dependency ref="defusedxml==0.7.1"/>
     </dependency>
     <dependency ref="python-dateutil==2.9.0.post0">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
     </dependency>
-    <dependency ref="referencing==0.35.1">
-      <dependency ref="attrs==24.2.0"/>
-      <dependency ref="rpds-py==0.20.0"/>
+    <dependency ref="referencing==0.37.0">
+      <dependency ref="attrs==25.4.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
+    </dependency>
+    <dependency ref="rfc3986-validator==0.1.1"/>
+    <dependency ref="rfc3987-syntax==1.1.0">
+      <dependency ref="lark==1.3.0"/>
     </dependency>
-    <dependency ref="rfc3987==1.3.8"/>
     <dependency ref="root-component">
-      <dependency ref="cyclonedx-python-lib==8.2.0"/>
+      <dependency ref="cyclonedx-python-lib==11.2.0"/>
     </dependency>
-    <dependency ref="rpds-py==0.20.0"/>
-    <dependency ref="six==1.16.0"/>
+    <dependency ref="rpds-py==0.27.1"/>
+    <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
-    <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+    <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     <dependency ref="uri-template==1.3.0"/>
-    <dependency ref="webcolors==24.8.0"/>
+    <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
       <dependency ref="importlib_resources==6.4.5"/>
     </dependency>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
index 333b25a3..378082b5 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
@@ -33,7 +33,7 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "attrs==24.2.0",
+      "bom-ref": "attrs==25.4.0",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
@@ -70,12 +70,12 @@
         }
       ],
       "name": "attrs",
-      "purl": "pkg:pypi/attrs@24.2.0",
+      "purl": "pkg:pypi/attrs@25.4.0",
       "type": "library",
-      "version": "24.2.0"
+      "version": "25.4.0"
     },
     {
-      "bom-ref": "boolean.py==4.0",
+      "bom-ref": "boolean.py==5.0",
       "description": "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.",
       "externalReferences": [
         {
@@ -92,12 +92,12 @@
         }
       ],
       "name": "boolean.py",
-      "purl": "pkg:pypi/boolean.py@4.0",
+      "purl": "pkg:pypi/boolean.py@5.0",
       "type": "library",
-      "version": "4.0"
+      "version": "5.0"
     },
     {
-      "bom-ref": "cyclonedx-python-lib==8.2.0",
+      "bom-ref": "cyclonedx-python-lib==11.2.0",
       "description": "Python library for CycloneDX",
       "externalReferences": [
         {
@@ -115,13 +115,18 @@
           "type": "other",
           "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Changelog",
+          "type": "release-notes",
+          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/releases"
+        },
         {
           "comment": "from packaging metadata Project-URL: Repository",
           "type": "vcs",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
         }
@@ -145,9 +150,9 @@
           "value": "xml-validation"
         }
       ],
-      "purl": "pkg:pypi/cyclonedx-python-lib@8.2.0",
+      "purl": "pkg:pypi/cyclonedx-python-lib@11.2.0",
       "type": "library",
-      "version": "8.2.0"
+      "version": "11.2.0"
     },
     {
       "bom-ref": "defusedxml==0.7.1",
@@ -199,7 +204,7 @@
       "version": "1.5.1"
     },
     {
-      "bom-ref": "idna==3.10",
+      "bom-ref": "idna==3.11",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
@@ -221,14 +226,14 @@
       "licenses": [
         {
           "license": {
-            "name": "License :: OSI Approved :: BSD License"
+            "id": "BSD-3-Clause"
           }
         }
       ],
       "name": "idna",
-      "purl": "pkg:pypi/idna@3.10",
+      "purl": "pkg:pypi/idna@3.11",
       "type": "library",
-      "version": "3.10"
+      "version": "3.11"
     },
     {
       "bom-ref": "importlib_resources==6.4.5",
@@ -312,7 +317,7 @@
       "version": "3.0.0"
     },
     {
-      "bom-ref": "jsonschema==4.23.0",
+      "bom-ref": "jsonschema==4.25.1",
       "description": "An implementation of JSON Schema validation for Python",
       "externalReferences": [
         {
@@ -362,12 +367,12 @@
       "properties": [
         {
           "name": "cdx:python:package:required-extra",
-          "value": "format"
+          "value": "format-nongpl"
         }
       ],
-      "purl": "pkg:pypi/jsonschema@4.23.0",
+      "purl": "pkg:pypi/jsonschema@4.25.1",
       "type": "library",
-      "version": "4.23.0"
+      "version": "4.25.1"
     },
     {
       "bom-ref": "jsonschema-specifications==2023.3.6",
@@ -412,7 +417,34 @@
       "version": "2023.3.6"
     },
     {
-      "bom-ref": "license-expression==30.3.1",
+      "bom-ref": "lark==1.3.0",
+      "description": "a modern parsing library",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Download",
+          "type": "distribution",
+          "url": "https://github.com/lark-parser/lark/tarball/master"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
+          "type": "website",
+          "url": "https://github.com/lark-parser/lark"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "lark",
+      "purl": "pkg:pypi/lark@1.3.0",
+      "type": "library",
+      "version": "1.3.0"
+    },
+    {
+      "bom-ref": "license-expression==30.4.4",
       "description": "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.",
       "externalReferences": [
         {
@@ -429,14 +461,19 @@
         }
       ],
       "name": "license-expression",
-      "purl": "pkg:pypi/license-expression@30.3.1",
+      "purl": "pkg:pypi/license-expression@30.4.4",
       "type": "library",
-      "version": "30.3.1"
+      "version": "30.4.4"
     },
     {
-      "bom-ref": "lxml==5.3.0",
+      "bom-ref": "lxml==6.0.2",
       "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
       "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://bugs.launchpad.net/lxml"
+        },
         {
           "comment": "from packaging metadata Project-URL: Source",
           "type": "other",
@@ -453,20 +490,15 @@
           "license": {
             "id": "BSD-3-Clause"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: BSD License"
-          }
         }
       ],
       "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
+      "purl": "pkg:pypi/lxml@6.0.2",
       "type": "library",
-      "version": "5.3.0"
+      "version": "6.0.2"
     },
     {
-      "bom-ref": "packageurl-python==0.16.0",
+      "bom-ref": "packageurl-python==0.17.5",
       "description": "A purl aka. Package URL parser and builder",
       "externalReferences": [
         {
@@ -483,9 +515,9 @@
         }
       ],
       "name": "packageurl-python",
-      "purl": "pkg:pypi/packageurl-python@0.16.0",
+      "purl": "pkg:pypi/packageurl-python@0.17.5",
       "type": "library",
-      "version": "0.16.0"
+      "version": "0.17.5"
     },
     {
       "bom-ref": "pkgutil_resolve_name==1.3.10",
@@ -510,7 +542,7 @@
       "version": "1.3.10"
     },
     {
-      "bom-ref": "py-serializable==1.1.2",
+      "bom-ref": "py-serializable==2.1.0",
       "description": "Library for serializing and deserializing Python Objects to and from JSON and XML.",
       "externalReferences": [
         {
@@ -529,7 +561,7 @@
           "url": "https://github.com/madpah/serializable"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/madpah/serializable#readme"
         }
@@ -547,9 +579,9 @@
         }
       ],
       "name": "py-serializable",
-      "purl": "pkg:pypi/py-serializable@1.1.2",
+      "purl": "pkg:pypi/py-serializable@2.1.0",
       "type": "library",
-      "version": "1.1.2"
+      "version": "2.1.0"
     },
     {
       "bom-ref": "python-dateutil==2.9.0.post0",
@@ -589,7 +621,7 @@
       "version": "2.9.0.post0"
     },
     {
-      "bom-ref": "referencing==0.35.1",
+      "bom-ref": "referencing==0.37.0",
       "description": "JSON Referencing + Python",
       "externalReferences": [
         {
@@ -636,9 +668,9 @@
         }
       ],
       "name": "referencing",
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.37.0",
       "type": "library",
-      "version": "0.35.1"
+      "version": "0.37.0"
     },
     {
       "bom-ref": "rfc3339-validator==0.1.4",
@@ -663,34 +695,66 @@
       "version": "0.1.4"
     },
     {
-      "bom-ref": "rfc3987==1.3.8",
-      "description": "Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)",
+      "bom-ref": "rfc3986-validator==0.1.1",
+      "description": "Pure python rfc3986 validator",
       "externalReferences": [
         {
-          "comment": "from packaging metadata: Download-URL",
-          "type": "distribution",
-          "url": "https://github.com/dgerber/rfc3987"
+          "comment": "from packaging metadata: Home-page",
+          "type": "website",
+          "url": "https://github.com/naimetti/rfc3986-validator"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "rfc3986-validator",
+      "purl": "pkg:pypi/rfc3986-validator@0.1.1",
+      "type": "library",
+      "version": "0.1.1"
+    },
+    {
+      "bom-ref": "rfc3987-syntax==1.1.0",
+      "description": "Helper functions to syntactically validate strings according to RFC 3987.",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://github.com/willynilly/rfc3987-syntax#readme"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Issues",
+          "type": "issue-tracker",
+          "url": "https://github.com/willynilly/rfc3987-syntax/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Source",
+          "type": "other",
+          "url": "https://github.com/willynilly/rfc3987-syntax"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
-          "url": "http://pypi.python.org/pypi/rfc3987"
+          "url": "https://github.com/willynilly/rfc3987-syntax"
         }
       ],
       "licenses": [
         {
           "license": {
-            "id": "GPL-3.0-or-later"
+            "id": "MIT"
           }
         }
       ],
-      "name": "rfc3987",
-      "purl": "pkg:pypi/rfc3987@1.3.8",
+      "name": "rfc3987-syntax",
+      "purl": "pkg:pypi/rfc3987-syntax@1.1.0",
       "type": "library",
-      "version": "1.3.8"
+      "version": "1.1.0"
     },
     {
-      "bom-ref": "rpds-py==0.20.0",
+      "bom-ref": "rpds-py==0.27.1",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "externalReferences": [
         {
@@ -708,6 +772,11 @@
           "type": "other",
           "url": "https://github.com/crate-py/rpds"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Upstream",
+          "type": "other",
+          "url": "https://github.com/orium/rpds"
+        },
         {
           "comment": "from packaging metadata Project-URL: Funding",
           "type": "other",
@@ -732,12 +801,12 @@
         }
       ],
       "name": "rpds-py",
-      "purl": "pkg:pypi/rpds-py@0.20.0",
+      "purl": "pkg:pypi/rpds-py@0.27.1",
       "type": "library",
-      "version": "0.20.0"
+      "version": "0.27.1"
     },
     {
-      "bom-ref": "six==1.16.0",
+      "bom-ref": "six==1.17.0",
       "description": "Python 2 and 3 compatibility utilities",
       "externalReferences": [
         {
@@ -754,9 +823,9 @@
         }
       ],
       "name": "six",
-      "purl": "pkg:pypi/six@1.16.0",
+      "purl": "pkg:pypi/six@1.17.0",
       "type": "library",
-      "version": "1.16.0"
+      "version": "1.17.0"
     },
     {
       "bom-ref": "sortedcontainers==2.4.0",
@@ -781,7 +850,7 @@
       "version": "2.4.0"
     },
     {
-      "bom-ref": "types-python-dateutil==2.9.0.20241003",
+      "bom-ref": "types-python-dateutil==2.9.0.20251008",
       "description": "Typing stubs for python-dateutil",
       "externalReferences": [
         {
@@ -805,7 +874,7 @@
           "url": "https://github.com/python/typeshed"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/python/typeshed"
         }
@@ -815,17 +884,12 @@
           "license": {
             "id": "Apache-2.0"
           }
-        },
-        {
-          "license": {
-            "name": "License :: OSI Approved :: Apache Software License"
-          }
         }
       ],
       "name": "types-python-dateutil",
-      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20241003",
+      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20251008",
       "type": "library",
-      "version": "2.9.0.20241003"
+      "version": "2.9.0.20251008"
     },
     {
       "bom-ref": "uri-template==1.3.0",
@@ -850,17 +914,17 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "webcolors==24.8.0",
+      "bom-ref": "webcolors==24.11.1",
       "description": "A library for working with the color formats defined by HTML and CSS.",
       "externalReferences": [
         {
-          "comment": "from packaging metadata Project-URL: documentation",
+          "comment": "from packaging metadata Project-URL: Documentation",
           "type": "documentation",
           "url": "https://webcolors.readthedocs.io"
         },
         {
-          "comment": "from packaging metadata Project-URL: homepage",
-          "type": "website",
+          "comment": "from packaging metadata Project-URL: Source Code",
+          "type": "other",
           "url": "https://github.com/ubernostrum/webcolors"
         }
       ],
@@ -877,9 +941,9 @@
         }
       ],
       "name": "webcolors",
-      "purl": "pkg:pypi/webcolors@24.8.0",
+      "purl": "pkg:pypi/webcolors@24.11.1",
       "type": "library",
-      "version": "24.8.0"
+      "version": "24.11.1"
     },
     {
       "bom-ref": "zipp==3.20.2",
@@ -908,26 +972,27 @@
     {
       "dependsOn": [
         "python-dateutil==2.9.0.post0",
-        "types-python-dateutil==2.9.0.20241003"
+        "types-python-dateutil==2.9.0.20251008"
       ],
       "ref": "arrow==1.3.0"
     },
     {
-      "ref": "attrs==24.2.0"
+      "ref": "attrs==25.4.0"
     },
     {
-      "ref": "boolean.py==4.0"
+      "ref": "boolean.py==5.0"
     },
     {
       "dependsOn": [
-        "jsonschema==4.23.0",
-        "license-expression==30.3.1",
-        "lxml==5.3.0",
-        "packageurl-python==0.16.0",
-        "py-serializable==1.1.2",
+        "jsonschema==4.25.1",
+        "license-expression==30.4.4",
+        "lxml==6.0.2",
+        "packageurl-python==0.17.5",
+        "py-serializable==2.1.0",
+        "referencing==0.37.0",
         "sortedcontainers==2.4.0"
       ],
-      "ref": "cyclonedx-python-lib==8.2.0"
+      "ref": "cyclonedx-python-lib==11.2.0"
     },
     {
       "ref": "defusedxml==0.7.1"
@@ -936,7 +1001,7 @@
       "ref": "fqdn==1.5.1"
     },
     {
-      "ref": "idna==3.10"
+      "ref": "idna==3.11"
     },
     {
       "dependsOn": [
@@ -956,40 +1021,42 @@
     {
       "dependsOn": [
         "importlib_resources==6.4.5",
-        "referencing==0.35.1"
+        "referencing==0.37.0"
       ],
       "ref": "jsonschema-specifications==2023.3.6"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
+        "attrs==25.4.0",
         "fqdn==1.5.1",
-        "idna==3.10",
-        "importlib_resources==6.4.5",
+        "idna==3.11",
         "isoduration==20.11.0",
         "jsonpointer==3.0.0",
         "jsonschema-specifications==2023.3.6",
-        "pkgutil_resolve_name==1.3.10",
-        "referencing==0.35.1",
+        "referencing==0.37.0",
         "rfc3339-validator==0.1.4",
-        "rfc3987==1.3.8",
-        "rpds-py==0.20.0",
+        "rfc3986-validator==0.1.1",
+        "rfc3987-syntax==1.1.0",
+        "rpds-py==0.27.1",
         "uri-template==1.3.0",
-        "webcolors==24.8.0"
+        "webcolors==24.11.1"
       ],
-      "ref": "jsonschema==4.23.0"
+      "ref": "jsonschema==4.25.1"
+    },
+    {
+      "ref": "lark==1.3.0"
     },
     {
       "dependsOn": [
-        "boolean.py==4.0"
+        "boolean.py==5.0"
       ],
-      "ref": "license-expression==30.3.1"
+      "ref": "license-expression==30.4.4"
     },
     {
-      "ref": "lxml==5.3.0"
+      "ref": "lxml==6.0.2"
     },
     {
-      "ref": "packageurl-python==0.16.0"
+      "ref": "packageurl-python==0.17.5"
     },
     {
       "ref": "pkgutil_resolve_name==1.3.10"
@@ -998,53 +1065,59 @@
       "dependsOn": [
         "defusedxml==0.7.1"
       ],
-      "ref": "py-serializable==1.1.2"
+      "ref": "py-serializable==2.1.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "python-dateutil==2.9.0.post0"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
-        "rpds-py==0.20.0"
+        "attrs==25.4.0",
+        "rpds-py==0.27.1"
       ],
-      "ref": "referencing==0.35.1"
+      "ref": "referencing==0.37.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "rfc3339-validator==0.1.4"
     },
     {
-      "ref": "rfc3987==1.3.8"
+      "ref": "rfc3986-validator==0.1.1"
+    },
+    {
+      "dependsOn": [
+        "lark==1.3.0"
+      ],
+      "ref": "rfc3987-syntax==1.1.0"
     },
     {
       "dependsOn": [
-        "cyclonedx-python-lib==8.2.0"
+        "cyclonedx-python-lib==11.2.0"
       ],
       "ref": "root-component"
     },
     {
-      "ref": "rpds-py==0.20.0"
+      "ref": "rpds-py==0.27.1"
     },
     {
-      "ref": "six==1.16.0"
+      "ref": "six==1.17.0"
     },
     {
       "ref": "sortedcontainers==2.4.0"
     },
     {
-      "ref": "types-python-dateutil==2.9.0.20241003"
+      "ref": "types-python-dateutil==2.9.0.20251008"
     },
     {
       "ref": "uri-template==1.3.0"
     },
     {
-      "ref": "webcolors==24.8.0"
+      "ref": "webcolors==24.11.1"
     },
     {
       "dependsOn": [
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
index fcde2541..8bbacfe2 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
@@ -85,16 +85,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -118,16 +118,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license>
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -135,9 +135,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license>
@@ -147,7 +147,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -161,13 +161,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="release-notes">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
       <properties>
@@ -212,16 +216,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license>
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -300,16 +304,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -341,7 +345,7 @@
         </reference>
       </externalReferences>
       <properties>
-        <property name="cdx:python:package:required-extra">format</property>
+        <property name="cdx:python:package:required-extra">format-nongpl</property>
       </properties>
     </component>
     <component type="library" bom-ref="jsonschema-specifications==2023.3.6">
@@ -377,16 +381,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -394,20 +419,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license>
           <id>BSD-3-Clause</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -418,16 +444,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -452,9 +478,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license>
@@ -464,7 +490,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -480,7 +506,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -512,16 +538,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -570,37 +596,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license>
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -614,6 +665,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -628,16 +683,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license>
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -662,19 +717,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license>
           <id>Apache-2.0</id>
         </license>
-        <license>
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -694,7 +746,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -715,9 +767,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license>
@@ -727,15 +779,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
@@ -760,21 +812,22 @@
   <dependencies>
     <dependency ref="arrow==1.3.0">
       <dependency ref="python-dateutil==2.9.0.post0"/>
-      <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+      <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     </dependency>
-    <dependency ref="attrs==24.2.0"/>
-    <dependency ref="boolean.py==4.0"/>
-    <dependency ref="cyclonedx-python-lib==8.2.0">
-      <dependency ref="jsonschema==4.23.0"/>
-      <dependency ref="license-expression==30.3.1"/>
-      <dependency ref="lxml==5.3.0"/>
-      <dependency ref="packageurl-python==0.16.0"/>
-      <dependency ref="py-serializable==1.1.2"/>
+    <dependency ref="attrs==25.4.0"/>
+    <dependency ref="boolean.py==5.0"/>
+    <dependency ref="cyclonedx-python-lib==11.2.0">
+      <dependency ref="jsonschema==4.25.1"/>
+      <dependency ref="license-expression==30.4.4"/>
+      <dependency ref="lxml==6.0.2"/>
+      <dependency ref="packageurl-python==0.17.5"/>
+      <dependency ref="py-serializable==2.1.0"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
-    <dependency ref="idna==3.10"/>
+    <dependency ref="idna==3.11"/>
     <dependency ref="importlib_resources==6.4.5">
       <dependency ref="zipp==3.20.2"/>
     </dependency>
@@ -784,53 +837,56 @@
     <dependency ref="jsonpointer==3.0.0"/>
     <dependency ref="jsonschema-specifications==2023.3.6">
       <dependency ref="importlib_resources==6.4.5"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
     </dependency>
-    <dependency ref="jsonschema==4.23.0">
-      <dependency ref="attrs==24.2.0"/>
+    <dependency ref="jsonschema==4.25.1">
+      <dependency ref="attrs==25.4.0"/>
       <dependency ref="fqdn==1.5.1"/>
-      <dependency ref="idna==3.10"/>
-      <dependency ref="importlib_resources==6.4.5"/>
+      <dependency ref="idna==3.11"/>
       <dependency ref="isoduration==20.11.0"/>
       <dependency ref="jsonpointer==3.0.0"/>
       <dependency ref="jsonschema-specifications==2023.3.6"/>
-      <dependency ref="pkgutil_resolve_name==1.3.10"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="rfc3339-validator==0.1.4"/>
-      <dependency ref="rfc3987==1.3.8"/>
-      <dependency ref="rpds-py==0.20.0"/>
+      <dependency ref="rfc3986-validator==0.1.1"/>
+      <dependency ref="rfc3987-syntax==1.1.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
       <dependency ref="uri-template==1.3.0"/>
-      <dependency ref="webcolors==24.8.0"/>
+      <dependency ref="webcolors==24.11.1"/>
     </dependency>
-    <dependency ref="license-expression==30.3.1">
-      <dependency ref="boolean.py==4.0"/>
+    <dependency ref="lark==1.3.0"/>
+    <dependency ref="license-expression==30.4.4">
+      <dependency ref="boolean.py==5.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
-    <dependency ref="packageurl-python==0.16.0"/>
+    <dependency ref="lxml==6.0.2"/>
+    <dependency ref="packageurl-python==0.17.5"/>
     <dependency ref="pkgutil_resolve_name==1.3.10"/>
-    <dependency ref="py-serializable==1.1.2">
+    <dependency ref="py-serializable==2.1.0">
       <dependency ref="defusedxml==0.7.1"/>
     </dependency>
     <dependency ref="python-dateutil==2.9.0.post0">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
     </dependency>
-    <dependency ref="referencing==0.35.1">
-      <dependency ref="attrs==24.2.0"/>
-      <dependency ref="rpds-py==0.20.0"/>
+    <dependency ref="referencing==0.37.0">
+      <dependency ref="attrs==25.4.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
+    </dependency>
+    <dependency ref="rfc3986-validator==0.1.1"/>
+    <dependency ref="rfc3987-syntax==1.1.0">
+      <dependency ref="lark==1.3.0"/>
     </dependency>
-    <dependency ref="rfc3987==1.3.8"/>
     <dependency ref="root-component">
-      <dependency ref="cyclonedx-python-lib==8.2.0"/>
+      <dependency ref="cyclonedx-python-lib==11.2.0"/>
     </dependency>
-    <dependency ref="rpds-py==0.20.0"/>
-    <dependency ref="six==1.16.0"/>
+    <dependency ref="rpds-py==0.27.1"/>
+    <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
-    <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+    <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     <dependency ref="uri-template==1.3.0"/>
-    <dependency ref="webcolors==24.8.0"/>
+    <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
       <dependency ref="importlib_resources==6.4.5"/>
     </dependency>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
index e1b260f2..3975779c 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
@@ -34,7 +34,7 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "attrs==24.2.0",
+      "bom-ref": "attrs==25.4.0",
       "description": "Classes Without Boilerplate",
       "externalReferences": [
         {
@@ -72,12 +72,12 @@
         }
       ],
       "name": "attrs",
-      "purl": "pkg:pypi/attrs@24.2.0",
+      "purl": "pkg:pypi/attrs@25.4.0",
       "type": "library",
-      "version": "24.2.0"
+      "version": "25.4.0"
     },
     {
-      "bom-ref": "boolean.py==4.0",
+      "bom-ref": "boolean.py==5.0",
       "description": "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.",
       "externalReferences": [
         {
@@ -95,12 +95,12 @@
         }
       ],
       "name": "boolean.py",
-      "purl": "pkg:pypi/boolean.py@4.0",
+      "purl": "pkg:pypi/boolean.py@5.0",
       "type": "library",
-      "version": "4.0"
+      "version": "5.0"
     },
     {
-      "bom-ref": "cyclonedx-python-lib==8.2.0",
+      "bom-ref": "cyclonedx-python-lib==11.2.0",
       "description": "Python library for CycloneDX",
       "externalReferences": [
         {
@@ -118,13 +118,18 @@
           "type": "other",
           "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Changelog",
+          "type": "release-notes",
+          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/releases"
+        },
         {
           "comment": "from packaging metadata Project-URL: Repository",
           "type": "vcs",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
         }
@@ -150,9 +155,9 @@
           "value": "xml-validation"
         }
       ],
-      "purl": "pkg:pypi/cyclonedx-python-lib@8.2.0",
+      "purl": "pkg:pypi/cyclonedx-python-lib@11.2.0",
       "type": "library",
-      "version": "8.2.0"
+      "version": "11.2.0"
     },
     {
       "bom-ref": "defusedxml==0.7.1",
@@ -206,7 +211,7 @@
       "version": "1.5.1"
     },
     {
-      "bom-ref": "idna==3.10",
+      "bom-ref": "idna==3.11",
       "description": "Internationalized Domain Names in Applications (IDNA)",
       "externalReferences": [
         {
@@ -229,14 +234,14 @@
         {
           "license": {
             "acknowledgement": "declared",
-            "name": "License :: OSI Approved :: BSD License"
+            "id": "BSD-3-Clause"
           }
         }
       ],
       "name": "idna",
-      "purl": "pkg:pypi/idna@3.10",
+      "purl": "pkg:pypi/idna@3.11",
       "type": "library",
-      "version": "3.10"
+      "version": "3.11"
     },
     {
       "bom-ref": "importlib_resources==6.4.5",
@@ -323,7 +328,7 @@
       "version": "3.0.0"
     },
     {
-      "bom-ref": "jsonschema==4.23.0",
+      "bom-ref": "jsonschema==4.25.1",
       "description": "An implementation of JSON Schema validation for Python",
       "externalReferences": [
         {
@@ -374,12 +379,12 @@
       "properties": [
         {
           "name": "cdx:python:package:required-extra",
-          "value": "format"
+          "value": "format-nongpl"
         }
       ],
-      "purl": "pkg:pypi/jsonschema@4.23.0",
+      "purl": "pkg:pypi/jsonschema@4.25.1",
       "type": "library",
-      "version": "4.23.0"
+      "version": "4.25.1"
     },
     {
       "bom-ref": "jsonschema-specifications==2023.3.6",
@@ -425,7 +430,35 @@
       "version": "2023.3.6"
     },
     {
-      "bom-ref": "license-expression==30.3.1",
+      "bom-ref": "lark==1.3.0",
+      "description": "a modern parsing library",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Download",
+          "type": "distribution",
+          "url": "https://github.com/lark-parser/lark/tarball/master"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
+          "type": "website",
+          "url": "https://github.com/lark-parser/lark"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "acknowledgement": "declared",
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "lark",
+      "purl": "pkg:pypi/lark@1.3.0",
+      "type": "library",
+      "version": "1.3.0"
+    },
+    {
+      "bom-ref": "license-expression==30.4.4",
       "description": "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.",
       "externalReferences": [
         {
@@ -443,14 +476,19 @@
         }
       ],
       "name": "license-expression",
-      "purl": "pkg:pypi/license-expression@30.3.1",
+      "purl": "pkg:pypi/license-expression@30.4.4",
       "type": "library",
-      "version": "30.3.1"
+      "version": "30.4.4"
     },
     {
-      "bom-ref": "lxml==5.3.0",
+      "bom-ref": "lxml==6.0.2",
       "description": "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.",
       "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://bugs.launchpad.net/lxml"
+        },
         {
           "comment": "from packaging metadata Project-URL: Source",
           "type": "other",
@@ -468,21 +506,15 @@
             "acknowledgement": "declared",
             "id": "BSD-3-Clause"
           }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "License :: OSI Approved :: BSD License"
-          }
         }
       ],
       "name": "lxml",
-      "purl": "pkg:pypi/lxml@5.3.0",
+      "purl": "pkg:pypi/lxml@6.0.2",
       "type": "library",
-      "version": "5.3.0"
+      "version": "6.0.2"
     },
     {
-      "bom-ref": "packageurl-python==0.16.0",
+      "bom-ref": "packageurl-python==0.17.5",
       "description": "A purl aka. Package URL parser and builder",
       "externalReferences": [
         {
@@ -500,9 +532,9 @@
         }
       ],
       "name": "packageurl-python",
-      "purl": "pkg:pypi/packageurl-python@0.16.0",
+      "purl": "pkg:pypi/packageurl-python@0.17.5",
       "type": "library",
-      "version": "0.16.0"
+      "version": "0.17.5"
     },
     {
       "bom-ref": "pkgutil_resolve_name==1.3.10",
@@ -528,7 +560,7 @@
       "version": "1.3.10"
     },
     {
-      "bom-ref": "py-serializable==1.1.2",
+      "bom-ref": "py-serializable==2.1.0",
       "description": "Library for serializing and deserializing Python Objects to and from JSON and XML.",
       "externalReferences": [
         {
@@ -547,7 +579,7 @@
           "url": "https://github.com/madpah/serializable"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/madpah/serializable#readme"
         }
@@ -567,9 +599,9 @@
         }
       ],
       "name": "py-serializable",
-      "purl": "pkg:pypi/py-serializable@1.1.2",
+      "purl": "pkg:pypi/py-serializable@2.1.0",
       "type": "library",
-      "version": "1.1.2"
+      "version": "2.1.0"
     },
     {
       "bom-ref": "python-dateutil==2.9.0.post0",
@@ -611,7 +643,7 @@
       "version": "2.9.0.post0"
     },
     {
-      "bom-ref": "referencing==0.35.1",
+      "bom-ref": "referencing==0.37.0",
       "description": "JSON Referencing + Python",
       "externalReferences": [
         {
@@ -659,9 +691,9 @@
         }
       ],
       "name": "referencing",
-      "purl": "pkg:pypi/referencing@0.35.1",
+      "purl": "pkg:pypi/referencing@0.37.0",
       "type": "library",
-      "version": "0.35.1"
+      "version": "0.37.0"
     },
     {
       "bom-ref": "rfc3339-validator==0.1.4",
@@ -687,35 +719,68 @@
       "version": "0.1.4"
     },
     {
-      "bom-ref": "rfc3987==1.3.8",
-      "description": "Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)",
+      "bom-ref": "rfc3986-validator==0.1.1",
+      "description": "Pure python rfc3986 validator",
       "externalReferences": [
         {
-          "comment": "from packaging metadata: Download-URL",
-          "type": "distribution",
-          "url": "https://github.com/dgerber/rfc3987"
+          "comment": "from packaging metadata: Home-page",
+          "type": "website",
+          "url": "https://github.com/naimetti/rfc3986-validator"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "acknowledgement": "declared",
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "rfc3986-validator",
+      "purl": "pkg:pypi/rfc3986-validator@0.1.1",
+      "type": "library",
+      "version": "0.1.1"
+    },
+    {
+      "bom-ref": "rfc3987-syntax==1.1.0",
+      "description": "Helper functions to syntactically validate strings according to RFC 3987.",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://github.com/willynilly/rfc3987-syntax#readme"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Issues",
+          "type": "issue-tracker",
+          "url": "https://github.com/willynilly/rfc3987-syntax/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Source",
+          "type": "other",
+          "url": "https://github.com/willynilly/rfc3987-syntax"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
-          "url": "http://pypi.python.org/pypi/rfc3987"
+          "url": "https://github.com/willynilly/rfc3987-syntax"
         }
       ],
       "licenses": [
         {
           "license": {
             "acknowledgement": "declared",
-            "id": "GPL-3.0-or-later"
+            "id": "MIT"
           }
         }
       ],
-      "name": "rfc3987",
-      "purl": "pkg:pypi/rfc3987@1.3.8",
+      "name": "rfc3987-syntax",
+      "purl": "pkg:pypi/rfc3987-syntax@1.1.0",
       "type": "library",
-      "version": "1.3.8"
+      "version": "1.1.0"
     },
     {
-      "bom-ref": "rpds-py==0.20.0",
+      "bom-ref": "rpds-py==0.27.1",
       "description": "Python bindings to Rust's persistent data structures (rpds)",
       "externalReferences": [
         {
@@ -733,6 +798,11 @@
           "type": "other",
           "url": "https://github.com/crate-py/rpds"
         },
+        {
+          "comment": "from packaging metadata Project-URL: Upstream",
+          "type": "other",
+          "url": "https://github.com/orium/rpds"
+        },
         {
           "comment": "from packaging metadata Project-URL: Funding",
           "type": "other",
@@ -758,12 +828,12 @@
         }
       ],
       "name": "rpds-py",
-      "purl": "pkg:pypi/rpds-py@0.20.0",
+      "purl": "pkg:pypi/rpds-py@0.27.1",
       "type": "library",
-      "version": "0.20.0"
+      "version": "0.27.1"
     },
     {
-      "bom-ref": "six==1.16.0",
+      "bom-ref": "six==1.17.0",
       "description": "Python 2 and 3 compatibility utilities",
       "externalReferences": [
         {
@@ -781,9 +851,9 @@
         }
       ],
       "name": "six",
-      "purl": "pkg:pypi/six@1.16.0",
+      "purl": "pkg:pypi/six@1.17.0",
       "type": "library",
-      "version": "1.16.0"
+      "version": "1.17.0"
     },
     {
       "bom-ref": "sortedcontainers==2.4.0",
@@ -809,7 +879,7 @@
       "version": "2.4.0"
     },
     {
-      "bom-ref": "types-python-dateutil==2.9.0.20241003",
+      "bom-ref": "types-python-dateutil==2.9.0.20251008",
       "description": "Typing stubs for python-dateutil",
       "externalReferences": [
         {
@@ -833,7 +903,7 @@
           "url": "https://github.com/python/typeshed"
         },
         {
-          "comment": "from packaging metadata: Home-page",
+          "comment": "from packaging metadata Project-URL: Homepage",
           "type": "website",
           "url": "https://github.com/python/typeshed"
         }
@@ -844,18 +914,12 @@
             "acknowledgement": "declared",
             "id": "Apache-2.0"
           }
-        },
-        {
-          "license": {
-            "acknowledgement": "declared",
-            "name": "License :: OSI Approved :: Apache Software License"
-          }
         }
       ],
       "name": "types-python-dateutil",
-      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20241003",
+      "purl": "pkg:pypi/types-python-dateutil@2.9.0.20251008",
       "type": "library",
-      "version": "2.9.0.20241003"
+      "version": "2.9.0.20251008"
     },
     {
       "bom-ref": "uri-template==1.3.0",
@@ -881,17 +945,17 @@
       "version": "1.3.0"
     },
     {
-      "bom-ref": "webcolors==24.8.0",
+      "bom-ref": "webcolors==24.11.1",
       "description": "A library for working with the color formats defined by HTML and CSS.",
       "externalReferences": [
         {
-          "comment": "from packaging metadata Project-URL: documentation",
+          "comment": "from packaging metadata Project-URL: Documentation",
           "type": "documentation",
           "url": "https://webcolors.readthedocs.io"
         },
         {
-          "comment": "from packaging metadata Project-URL: homepage",
-          "type": "website",
+          "comment": "from packaging metadata Project-URL: Source Code",
+          "type": "other",
           "url": "https://github.com/ubernostrum/webcolors"
         }
       ],
@@ -910,9 +974,9 @@
         }
       ],
       "name": "webcolors",
-      "purl": "pkg:pypi/webcolors@24.8.0",
+      "purl": "pkg:pypi/webcolors@24.11.1",
       "type": "library",
-      "version": "24.8.0"
+      "version": "24.11.1"
     },
     {
       "bom-ref": "zipp==3.20.2",
@@ -942,26 +1006,27 @@
     {
       "dependsOn": [
         "python-dateutil==2.9.0.post0",
-        "types-python-dateutil==2.9.0.20241003"
+        "types-python-dateutil==2.9.0.20251008"
       ],
       "ref": "arrow==1.3.0"
     },
     {
-      "ref": "attrs==24.2.0"
+      "ref": "attrs==25.4.0"
     },
     {
-      "ref": "boolean.py==4.0"
+      "ref": "boolean.py==5.0"
     },
     {
       "dependsOn": [
-        "jsonschema==4.23.0",
-        "license-expression==30.3.1",
-        "lxml==5.3.0",
-        "packageurl-python==0.16.0",
-        "py-serializable==1.1.2",
+        "jsonschema==4.25.1",
+        "license-expression==30.4.4",
+        "lxml==6.0.2",
+        "packageurl-python==0.17.5",
+        "py-serializable==2.1.0",
+        "referencing==0.37.0",
         "sortedcontainers==2.4.0"
       ],
-      "ref": "cyclonedx-python-lib==8.2.0"
+      "ref": "cyclonedx-python-lib==11.2.0"
     },
     {
       "ref": "defusedxml==0.7.1"
@@ -970,7 +1035,7 @@
       "ref": "fqdn==1.5.1"
     },
     {
-      "ref": "idna==3.10"
+      "ref": "idna==3.11"
     },
     {
       "dependsOn": [
@@ -990,40 +1055,42 @@
     {
       "dependsOn": [
         "importlib_resources==6.4.5",
-        "referencing==0.35.1"
+        "referencing==0.37.0"
       ],
       "ref": "jsonschema-specifications==2023.3.6"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
+        "attrs==25.4.0",
         "fqdn==1.5.1",
-        "idna==3.10",
-        "importlib_resources==6.4.5",
+        "idna==3.11",
         "isoduration==20.11.0",
         "jsonpointer==3.0.0",
         "jsonschema-specifications==2023.3.6",
-        "pkgutil_resolve_name==1.3.10",
-        "referencing==0.35.1",
+        "referencing==0.37.0",
         "rfc3339-validator==0.1.4",
-        "rfc3987==1.3.8",
-        "rpds-py==0.20.0",
+        "rfc3986-validator==0.1.1",
+        "rfc3987-syntax==1.1.0",
+        "rpds-py==0.27.1",
         "uri-template==1.3.0",
-        "webcolors==24.8.0"
+        "webcolors==24.11.1"
       ],
-      "ref": "jsonschema==4.23.0"
+      "ref": "jsonschema==4.25.1"
+    },
+    {
+      "ref": "lark==1.3.0"
     },
     {
       "dependsOn": [
-        "boolean.py==4.0"
+        "boolean.py==5.0"
       ],
-      "ref": "license-expression==30.3.1"
+      "ref": "license-expression==30.4.4"
     },
     {
-      "ref": "lxml==5.3.0"
+      "ref": "lxml==6.0.2"
     },
     {
-      "ref": "packageurl-python==0.16.0"
+      "ref": "packageurl-python==0.17.5"
     },
     {
       "ref": "pkgutil_resolve_name==1.3.10"
@@ -1032,53 +1099,59 @@
       "dependsOn": [
         "defusedxml==0.7.1"
       ],
-      "ref": "py-serializable==1.1.2"
+      "ref": "py-serializable==2.1.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "python-dateutil==2.9.0.post0"
     },
     {
       "dependsOn": [
-        "attrs==24.2.0",
-        "rpds-py==0.20.0"
+        "attrs==25.4.0",
+        "rpds-py==0.27.1"
       ],
-      "ref": "referencing==0.35.1"
+      "ref": "referencing==0.37.0"
     },
     {
       "dependsOn": [
-        "six==1.16.0"
+        "six==1.17.0"
       ],
       "ref": "rfc3339-validator==0.1.4"
     },
     {
-      "ref": "rfc3987==1.3.8"
+      "ref": "rfc3986-validator==0.1.1"
+    },
+    {
+      "dependsOn": [
+        "lark==1.3.0"
+      ],
+      "ref": "rfc3987-syntax==1.1.0"
     },
     {
       "dependsOn": [
-        "cyclonedx-python-lib==8.2.0"
+        "cyclonedx-python-lib==11.2.0"
       ],
       "ref": "root-component"
     },
     {
-      "ref": "rpds-py==0.20.0"
+      "ref": "rpds-py==0.27.1"
     },
     {
-      "ref": "six==1.16.0"
+      "ref": "six==1.17.0"
     },
     {
       "ref": "sortedcontainers==2.4.0"
     },
     {
-      "ref": "types-python-dateutil==2.9.0.20241003"
+      "ref": "types-python-dateutil==2.9.0.20251008"
     },
     {
       "ref": "uri-template==1.3.0"
     },
     {
-      "ref": "webcolors==24.8.0"
+      "ref": "webcolors==24.11.1"
     },
     {
       "dependsOn": [
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
index 6de3ed47..f04c37a4 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
@@ -85,16 +85,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="attrs==24.2.0">
+    <component type="library" bom-ref="attrs==25.4.0">
       <name>attrs</name>
-      <version>24.2.0</version>
+      <version>25.4.0</version>
       <description>Classes Without Boilerplate</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/attrs@24.2.0</purl>
+      <purl>pkg:pypi/attrs@25.4.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://www.attrs.org/</url>
@@ -118,16 +118,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="boolean.py==4.0">
+    <component type="library" bom-ref="boolean.py==5.0">
       <name>boolean.py</name>
-      <version>4.0</version>
+      <version>5.0</version>
       <description>Define boolean algebras, create and parse boolean expressions and create custom boolean DSL.</description>
       <licenses>
         <license acknowledgement="declared">
           <id>BSD-2-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/boolean.py@4.0</purl>
+      <purl>pkg:pypi/boolean.py@5.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/bastikr/boolean.py</url>
@@ -135,9 +135,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="cyclonedx-python-lib==8.2.0">
+    <component type="library" bom-ref="cyclonedx-python-lib==11.2.0">
       <name>cyclonedx-python-lib</name>
-      <version>8.2.0</version>
+      <version>11.2.0</version>
       <description>Python library for CycloneDX</description>
       <licenses>
         <license acknowledgement="declared">
@@ -147,7 +147,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/cyclonedx-python-lib@8.2.0</purl>
+      <purl>pkg:pypi/cyclonedx-python-lib@11.2.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://cyclonedx-python-library.readthedocs.io/</url>
@@ -161,13 +161,17 @@
           <url>https://owasp.org/donate/?reponame=www-project-cyclonedx&amp;title=OWASP+CycloneDX</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
         </reference>
+        <reference type="release-notes">
+          <url>https://github.com/CycloneDX/cyclonedx-python-lib/releases</url>
+          <comment>from packaging metadata Project-URL: Changelog</comment>
+        </reference>
         <reference type="vcs">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
           <comment>from packaging metadata Project-URL: Repository</comment>
         </reference>
         <reference type="website">
           <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
       <properties>
@@ -212,16 +216,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="idna==3.10">
+    <component type="library" bom-ref="idna==3.11">
       <name>idna</name>
-      <version>3.10</version>
+      <version>3.11</version>
       <description>Internationalized Domain Names in Applications (IDNA)</description>
       <licenses>
         <license acknowledgement="declared">
-          <name>License :: OSI Approved :: BSD License</name>
+          <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/idna@3.10</purl>
+      <purl>pkg:pypi/idna@3.11</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/kjd/idna/issues</url>
@@ -300,16 +304,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="jsonschema==4.23.0">
+    <component type="library" bom-ref="jsonschema==4.25.1">
       <name>jsonschema</name>
-      <version>4.23.0</version>
+      <version>4.25.1</version>
       <description>An implementation of JSON Schema validation for Python</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/jsonschema@4.23.0</purl>
+      <purl>pkg:pypi/jsonschema@4.25.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://python-jsonschema.readthedocs.io/</url>
@@ -341,7 +345,7 @@
         </reference>
       </externalReferences>
       <properties>
-        <property name="cdx:python:package:required-extra">format</property>
+        <property name="cdx:python:package:required-extra">format-nongpl</property>
       </properties>
     </component>
     <component type="library" bom-ref="jsonschema-specifications==2023.3.6">
@@ -377,16 +381,37 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="license-expression==30.3.1">
+    <component type="library" bom-ref="lark==1.3.0">
+      <name>lark</name>
+      <version>1.3.0</version>
+      <description>a modern parsing library</description>
+      <licenses>
+        <license acknowledgement="declared">
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/lark@1.3.0</purl>
+      <externalReferences>
+        <reference type="distribution">
+          <url>https://github.com/lark-parser/lark/tarball/master</url>
+          <comment>from packaging metadata Project-URL: Download</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/lark-parser/lark</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="license-expression==30.4.4">
       <name>license-expression</name>
-      <version>30.3.1</version>
+      <version>30.4.4</version>
       <description>license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic.</description>
       <licenses>
         <license acknowledgement="declared">
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/license-expression@30.3.1</purl>
+      <purl>pkg:pypi/license-expression@30.4.4</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/aboutcode-org/license-expression</url>
@@ -394,20 +419,21 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="lxml==5.3.0">
+    <component type="library" bom-ref="lxml==6.0.2">
       <name>lxml</name>
-      <version>5.3.0</version>
+      <version>6.0.2</version>
       <description>Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.</description>
       <licenses>
         <license acknowledgement="declared">
           <id>BSD-3-Clause</id>
         </license>
-        <license acknowledgement="declared">
-          <name>License :: OSI Approved :: BSD License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/lxml@5.3.0</purl>
+      <purl>pkg:pypi/lxml@6.0.2</purl>
       <externalReferences>
+        <reference type="issue-tracker">
+          <url>https://bugs.launchpad.net/lxml</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/lxml/lxml</url>
           <comment>from packaging metadata Project-URL: Source</comment>
@@ -418,16 +444,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="packageurl-python==0.16.0">
+    <component type="library" bom-ref="packageurl-python==0.17.5">
       <name>packageurl-python</name>
-      <version>0.16.0</version>
+      <version>0.17.5</version>
       <description>A purl aka. Package URL parser and builder</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/packageurl-python@0.16.0</purl>
+      <purl>pkg:pypi/packageurl-python@0.17.5</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/package-url/packageurl-python</url>
@@ -452,9 +478,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="py-serializable==1.1.2">
+    <component type="library" bom-ref="py-serializable==2.1.0">
       <name>py-serializable</name>
-      <version>1.1.2</version>
+      <version>2.1.0</version>
       <description>Library for serializing and deserializing Python Objects to and from JSON and XML.</description>
       <licenses>
         <license acknowledgement="declared">
@@ -464,7 +490,7 @@
           <name>License :: OSI Approved :: Apache Software License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/py-serializable@1.1.2</purl>
+      <purl>pkg:pypi/py-serializable@2.1.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://py-serializable.readthedocs.io/</url>
@@ -480,7 +506,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/madpah/serializable#readme</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -512,16 +538,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="referencing==0.35.1">
+    <component type="library" bom-ref="referencing==0.37.0">
       <name>referencing</name>
-      <version>0.35.1</version>
+      <version>0.37.0</version>
       <description>JSON Referencing + Python</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/referencing@0.35.1</purl>
+      <purl>pkg:pypi/referencing@0.37.0</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://referencing.readthedocs.io/</url>
@@ -570,37 +596,62 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rfc3987==1.3.8">
-      <name>rfc3987</name>
-      <version>1.3.8</version>
-      <description>Parsing and validation of URIs (RFC 3986) and IRIs (RFC 3987)</description>
+    <component type="library" bom-ref="rfc3986-validator==0.1.1">
+      <name>rfc3986-validator</name>
+      <version>0.1.1</version>
+      <description>Pure python rfc3986 validator</description>
       <licenses>
         <license acknowledgement="declared">
-          <id>GPL-3.0-or-later</id>
+          <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rfc3987@1.3.8</purl>
+      <purl>pkg:pypi/rfc3986-validator@0.1.1</purl>
       <externalReferences>
-        <reference type="distribution">
-          <url>https://github.com/dgerber/rfc3987</url>
-          <comment>from packaging metadata: Download-URL</comment>
-        </reference>
         <reference type="website">
-          <url>http://pypi.python.org/pypi/rfc3987</url>
+          <url>https://github.com/naimetti/rfc3986-validator</url>
           <comment>from packaging metadata: Home-page</comment>
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="rpds-py==0.20.0">
+    <component type="library" bom-ref="rfc3987-syntax==1.1.0">
+      <name>rfc3987-syntax</name>
+      <version>1.1.0</version>
+      <description>Helper functions to syntactically validate strings according to RFC 3987.</description>
+      <licenses>
+        <license acknowledgement="declared">
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/rfc3987-syntax@1.1.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://github.com/willynilly/rfc3987-syntax#readme</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/willynilly/rfc3987-syntax/issues</url>
+          <comment>from packaging metadata Project-URL: Issues</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Source</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/willynilly/rfc3987-syntax</url>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
+        </reference>
+      </externalReferences>
+    </component>
+    <component type="library" bom-ref="rpds-py==0.27.1">
       <name>rpds-py</name>
-      <version>0.20.0</version>
+      <version>0.27.1</version>
       <description>Python bindings to Rust's persistent data structures (rpds)</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/rpds-py@0.20.0</purl>
+      <purl>pkg:pypi/rpds-py@0.27.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://rpds.readthedocs.io/</url>
@@ -614,6 +665,10 @@
           <url>https://github.com/crate-py/rpds</url>
           <comment>from packaging metadata Project-URL: Source</comment>
         </reference>
+        <reference type="other">
+          <url>https://github.com/orium/rpds</url>
+          <comment>from packaging metadata Project-URL: Upstream</comment>
+        </reference>
         <reference type="other">
           <url>https://github.com/sponsors/Julian</url>
           <comment>from packaging metadata Project-URL: Funding</comment>
@@ -628,16 +683,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="six==1.16.0">
+    <component type="library" bom-ref="six==1.17.0">
       <name>six</name>
-      <version>1.16.0</version>
+      <version>1.17.0</version>
       <description>Python 2 and 3 compatibility utilities</description>
       <licenses>
         <license acknowledgement="declared">
           <id>MIT</id>
         </license>
       </licenses>
-      <purl>pkg:pypi/six@1.16.0</purl>
+      <purl>pkg:pypi/six@1.17.0</purl>
       <externalReferences>
         <reference type="website">
           <url>https://github.com/benjaminp/six</url>
@@ -662,19 +717,16 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="types-python-dateutil==2.9.0.20241003">
+    <component type="library" bom-ref="types-python-dateutil==2.9.0.20251008">
       <name>types-python-dateutil</name>
-      <version>2.9.0.20241003</version>
+      <version>2.9.0.20251008</version>
       <description>Typing stubs for python-dateutil</description>
       <licenses>
         <license acknowledgement="declared">
           <id>Apache-2.0</id>
         </license>
-        <license acknowledgement="declared">
-          <name>License :: OSI Approved :: Apache Software License</name>
-        </license>
       </licenses>
-      <purl>pkg:pypi/types-python-dateutil@2.9.0.20241003</purl>
+      <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <externalReferences>
         <reference type="chat">
           <url>https://gitter.im/python/typing</url>
@@ -694,7 +746,7 @@
         </reference>
         <reference type="website">
           <url>https://github.com/python/typeshed</url>
-          <comment>from packaging metadata: Home-page</comment>
+          <comment>from packaging metadata Project-URL: Homepage</comment>
         </reference>
       </externalReferences>
     </component>
@@ -715,9 +767,9 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library" bom-ref="webcolors==24.8.0">
+    <component type="library" bom-ref="webcolors==24.11.1">
       <name>webcolors</name>
-      <version>24.8.0</version>
+      <version>24.11.1</version>
       <description>A library for working with the color formats defined by HTML and CSS.</description>
       <licenses>
         <license acknowledgement="declared">
@@ -727,15 +779,15 @@
           <name>License :: OSI Approved :: BSD License</name>
         </license>
       </licenses>
-      <purl>pkg:pypi/webcolors@24.8.0</purl>
+      <purl>pkg:pypi/webcolors@24.11.1</purl>
       <externalReferences>
         <reference type="documentation">
           <url>https://webcolors.readthedocs.io</url>
-          <comment>from packaging metadata Project-URL: documentation</comment>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
         </reference>
-        <reference type="website">
+        <reference type="other">
           <url>https://github.com/ubernostrum/webcolors</url>
-          <comment>from packaging metadata Project-URL: homepage</comment>
+          <comment>from packaging metadata Project-URL: Source Code</comment>
         </reference>
       </externalReferences>
     </component>
@@ -760,21 +812,22 @@
   <dependencies>
     <dependency ref="arrow==1.3.0">
       <dependency ref="python-dateutil==2.9.0.post0"/>
-      <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+      <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     </dependency>
-    <dependency ref="attrs==24.2.0"/>
-    <dependency ref="boolean.py==4.0"/>
-    <dependency ref="cyclonedx-python-lib==8.2.0">
-      <dependency ref="jsonschema==4.23.0"/>
-      <dependency ref="license-expression==30.3.1"/>
-      <dependency ref="lxml==5.3.0"/>
-      <dependency ref="packageurl-python==0.16.0"/>
-      <dependency ref="py-serializable==1.1.2"/>
+    <dependency ref="attrs==25.4.0"/>
+    <dependency ref="boolean.py==5.0"/>
+    <dependency ref="cyclonedx-python-lib==11.2.0">
+      <dependency ref="jsonschema==4.25.1"/>
+      <dependency ref="license-expression==30.4.4"/>
+      <dependency ref="lxml==6.0.2"/>
+      <dependency ref="packageurl-python==0.17.5"/>
+      <dependency ref="py-serializable==2.1.0"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
-    <dependency ref="idna==3.10"/>
+    <dependency ref="idna==3.11"/>
     <dependency ref="importlib_resources==6.4.5">
       <dependency ref="zipp==3.20.2"/>
     </dependency>
@@ -784,53 +837,56 @@
     <dependency ref="jsonpointer==3.0.0"/>
     <dependency ref="jsonschema-specifications==2023.3.6">
       <dependency ref="importlib_resources==6.4.5"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
     </dependency>
-    <dependency ref="jsonschema==4.23.0">
-      <dependency ref="attrs==24.2.0"/>
+    <dependency ref="jsonschema==4.25.1">
+      <dependency ref="attrs==25.4.0"/>
       <dependency ref="fqdn==1.5.1"/>
-      <dependency ref="idna==3.10"/>
-      <dependency ref="importlib_resources==6.4.5"/>
+      <dependency ref="idna==3.11"/>
       <dependency ref="isoduration==20.11.0"/>
       <dependency ref="jsonpointer==3.0.0"/>
       <dependency ref="jsonschema-specifications==2023.3.6"/>
-      <dependency ref="pkgutil_resolve_name==1.3.10"/>
-      <dependency ref="referencing==0.35.1"/>
+      <dependency ref="referencing==0.37.0"/>
       <dependency ref="rfc3339-validator==0.1.4"/>
-      <dependency ref="rfc3987==1.3.8"/>
-      <dependency ref="rpds-py==0.20.0"/>
+      <dependency ref="rfc3986-validator==0.1.1"/>
+      <dependency ref="rfc3987-syntax==1.1.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
       <dependency ref="uri-template==1.3.0"/>
-      <dependency ref="webcolors==24.8.0"/>
+      <dependency ref="webcolors==24.11.1"/>
     </dependency>
-    <dependency ref="license-expression==30.3.1">
-      <dependency ref="boolean.py==4.0"/>
+    <dependency ref="lark==1.3.0"/>
+    <dependency ref="license-expression==30.4.4">
+      <dependency ref="boolean.py==5.0"/>
     </dependency>
-    <dependency ref="lxml==5.3.0"/>
-    <dependency ref="packageurl-python==0.16.0"/>
+    <dependency ref="lxml==6.0.2"/>
+    <dependency ref="packageurl-python==0.17.5"/>
     <dependency ref="pkgutil_resolve_name==1.3.10"/>
-    <dependency ref="py-serializable==1.1.2">
+    <dependency ref="py-serializable==2.1.0">
       <dependency ref="defusedxml==0.7.1"/>
     </dependency>
     <dependency ref="python-dateutil==2.9.0.post0">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
     </dependency>
-    <dependency ref="referencing==0.35.1">
-      <dependency ref="attrs==24.2.0"/>
-      <dependency ref="rpds-py==0.20.0"/>
+    <dependency ref="referencing==0.37.0">
+      <dependency ref="attrs==25.4.0"/>
+      <dependency ref="rpds-py==0.27.1"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
-      <dependency ref="six==1.16.0"/>
+      <dependency ref="six==1.17.0"/>
+    </dependency>
+    <dependency ref="rfc3986-validator==0.1.1"/>
+    <dependency ref="rfc3987-syntax==1.1.0">
+      <dependency ref="lark==1.3.0"/>
     </dependency>
-    <dependency ref="rfc3987==1.3.8"/>
     <dependency ref="root-component">
-      <dependency ref="cyclonedx-python-lib==8.2.0"/>
+      <dependency ref="cyclonedx-python-lib==11.2.0"/>
     </dependency>
-    <dependency ref="rpds-py==0.20.0"/>
-    <dependency ref="six==1.16.0"/>
+    <dependency ref="rpds-py==0.27.1"/>
+    <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
-    <dependency ref="types-python-dateutil==2.9.0.20241003"/>
+    <dependency ref="types-python-dateutil==2.9.0.20251008"/>
     <dependency ref="uri-template==1.3.0"/>
-    <dependency ref="webcolors==24.8.0"/>
+    <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
       <dependency ref="importlib_resources==6.4.5"/>
     </dependency>

From 2febfda6c40ebca22e16c007ff5a4e7e325fcfb3 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 15 Oct 2025 18:43:13 +0200
Subject: [PATCH 05/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/__init__.py b/tests/__init__.py
index 06029472..75a96819 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -28,11 +28,11 @@
 
 from cyclonedx_py import __version__ as __this_version
 
-RECREATE_SNAPSHOTS = True # '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
+RECREATE_SNAPSHOTS = '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
 if RECREATE_SNAPSHOTS:
     print('!!! WILL RECREATE ALL SNAPSHOTS !!!', file=sys.stderr)
 
-INIT_TESTBEDS = True # '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
+INIT_TESTBEDS = '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
 if INIT_TESTBEDS:
     print('!!! WILL INIT TESTBEDS !!!', file=sys.stderr)
 

From c13f80e3171189ffecd17d1f75193876417be615 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:15:49 +0200
Subject: [PATCH 06/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py     | 8 ++++++--
 tests/_data/infiles/environment/with-extras/pinning.txt | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index a644ca66..ee7c529f 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -22,7 +22,7 @@
 from os import name as os_name
 from os.path import dirname, join
 from subprocess import PIPE, CompletedProcess, run  # nosec:B404
-from sys import argv, executable
+from sys import argv, executable, version_info
 from typing import Any
 from venv import EnvBuilder
 
@@ -48,10 +48,14 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
 
 
 def pip_install(*args: str) -> None:
+    site = None
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
+        '--python-version=3.14',  # needed for compatibility
+        '--only-binary=:all:',
+        '-t', join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
         '-c', constraint_file,  # needed for reproducibility
-        *args
+        *args,
     )
 
 
diff --git a/tests/_data/infiles/environment/with-extras/pinning.txt b/tests/_data/infiles/environment/with-extras/pinning.txt
index 1c113e92..f8b08424 100644
--- a/tests/_data/infiles/environment/with-extras/pinning.txt
+++ b/tests/_data/infiles/environment/with-extras/pinning.txt
@@ -25,6 +25,7 @@ rpds-py==0.27.1
 six==1.17.0
 sortedcontainers==2.4.0
 types-python-dateutil==2.9.0.20251008
+typing_extensions==4.15.0
 uri-template==1.3.0
 webcolors==24.11.1
 zipp==3.20.2

From e85697042e3ca15bae8a801575252a17982cc9b6 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:18:45 +0200
Subject: [PATCH 07/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .../environment/plain_with-extras_1.0.xml.bin |  7 +++
 .../environment/plain_with-extras_1.1.xml.bin | 37 ++++++++++++
 .../plain_with-extras_1.2.json.bin            | 56 +++++++++++++++++-
 .../environment/plain_with-extras_1.2.xml.bin | 40 +++++++++++++
 .../plain_with-extras_1.3.json.bin            | 56 +++++++++++++++++-
 .../environment/plain_with-extras_1.3.xml.bin | 40 +++++++++++++
 .../plain_with-extras_1.4.json.bin            | 56 +++++++++++++++++-
 .../environment/plain_with-extras_1.4.xml.bin | 40 +++++++++++++
 .../plain_with-extras_1.5.json.bin            | 56 +++++++++++++++++-
 .../environment/plain_with-extras_1.5.xml.bin | 40 +++++++++++++
 .../plain_with-extras_1.6.json.bin            | 57 ++++++++++++++++++-
 .../environment/plain_with-extras_1.6.xml.bin | 40 +++++++++++++
 12 files changed, 515 insertions(+), 10 deletions(-)

diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
index 5e13b31f..479ed4aa 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.0.xml.bin
@@ -190,6 +190,13 @@
       <purl>pkg:pypi/types-python-dateutil@2.9.0.20251008</purl>
       <modified>false</modified>
     </component>
+    <component type="library">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <modified>false</modified>
+    </component>
     <component type="library">
       <name>uri-template</name>
       <version>1.3.0</version>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
index 20c9be7b..8beeef0d 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.1.xml.bin
@@ -685,6 +685,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license>
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
index cd6df1b2..c7a3a8e6 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.json.bin
@@ -879,6 +879,53 @@
       "type": "library",
       "version": "2.9.0.20251008"
     },
+    {
+      "bom-ref": "typing_extensions==4.15.0",
+      "description": "Backported and Experimental Type Hints for Python 3.9+",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://typing-extensions.readthedocs.io/"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://github.com/python/typing_extensions/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Q & A",
+          "type": "other",
+          "url": "https://github.com/python/typing/discussions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Changes",
+          "type": "other",
+          "url": "https://github.com/python/typing_extensions/blob/main/CHANGELOG.md"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Repository",
+          "type": "vcs",
+          "url": "https://github.com/python/typing_extensions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Home",
+          "type": "website",
+          "url": "https://github.com/python/typing_extensions"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "PSF-2.0"
+          }
+        }
+      ],
+      "name": "typing_extensions",
+      "purl": "pkg:pypi/typing-extensions@4.15.0",
+      "type": "library",
+      "version": "4.15.0"
+    },
     {
       "bom-ref": "uri-template==1.3.0",
       "description": "RFC 6570 URI Template Processor",
@@ -978,7 +1025,8 @@
         "packageurl-python==0.17.5",
         "py-serializable==2.1.0",
         "referencing==0.37.0",
-        "sortedcontainers==2.4.0"
+        "sortedcontainers==2.4.0",
+        "typing_extensions==4.15.0"
       ],
       "ref": "cyclonedx-python-lib==11.2.0"
     },
@@ -1064,7 +1112,8 @@
     {
       "dependsOn": [
         "attrs==25.4.0",
-        "rpds-py==0.27.1"
+        "rpds-py==0.27.1",
+        "typing_extensions==4.15.0"
       ],
       "ref": "referencing==0.37.0"
     },
@@ -1101,6 +1150,9 @@
     {
       "ref": "types-python-dateutil==2.9.0.20251008"
     },
+    {
+      "ref": "typing_extensions==4.15.0"
+    },
     {
       "ref": "uri-template==1.3.0"
     },
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
index 4795472c..72fff1d2 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.2.xml.bin
@@ -704,6 +704,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license>
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
@@ -778,6 +815,7 @@
       <dependency ref="py-serializable==2.1.0"/>
       <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
@@ -824,6 +862,7 @@
     <dependency ref="referencing==0.37.0">
       <dependency ref="attrs==25.4.0"/>
       <dependency ref="rpds-py==0.27.1"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
       <dependency ref="six==1.17.0"/>
@@ -839,6 +878,7 @@
     <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
     <dependency ref="types-python-dateutil==2.9.0.20251008"/>
+    <dependency ref="typing_extensions==4.15.0"/>
     <dependency ref="uri-template==1.3.0"/>
     <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
index c9c2eb91..97f77cea 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.json.bin
@@ -891,6 +891,53 @@
       "type": "library",
       "version": "2.9.0.20251008"
     },
+    {
+      "bom-ref": "typing_extensions==4.15.0",
+      "description": "Backported and Experimental Type Hints for Python 3.9+",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://typing-extensions.readthedocs.io/"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://github.com/python/typing_extensions/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Q & A",
+          "type": "other",
+          "url": "https://github.com/python/typing/discussions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Changes",
+          "type": "other",
+          "url": "https://github.com/python/typing_extensions/blob/main/CHANGELOG.md"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Repository",
+          "type": "vcs",
+          "url": "https://github.com/python/typing_extensions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Home",
+          "type": "website",
+          "url": "https://github.com/python/typing_extensions"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "PSF-2.0"
+          }
+        }
+      ],
+      "name": "typing_extensions",
+      "purl": "pkg:pypi/typing-extensions@4.15.0",
+      "type": "library",
+      "version": "4.15.0"
+    },
     {
       "bom-ref": "uri-template==1.3.0",
       "description": "RFC 6570 URI Template Processor",
@@ -990,7 +1037,8 @@
         "packageurl-python==0.17.5",
         "py-serializable==2.1.0",
         "referencing==0.37.0",
-        "sortedcontainers==2.4.0"
+        "sortedcontainers==2.4.0",
+        "typing_extensions==4.15.0"
       ],
       "ref": "cyclonedx-python-lib==11.2.0"
     },
@@ -1076,7 +1124,8 @@
     {
       "dependsOn": [
         "attrs==25.4.0",
-        "rpds-py==0.27.1"
+        "rpds-py==0.27.1",
+        "typing_extensions==4.15.0"
       ],
       "ref": "referencing==0.37.0"
     },
@@ -1113,6 +1162,9 @@
     {
       "ref": "types-python-dateutil==2.9.0.20251008"
     },
+    {
+      "ref": "typing_extensions==4.15.0"
+    },
     {
       "ref": "uri-template==1.3.0"
     },
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
index acf7532a..a8680af5 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.3.xml.bin
@@ -713,6 +713,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license>
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
@@ -787,6 +824,7 @@
       <dependency ref="py-serializable==2.1.0"/>
       <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
@@ -833,6 +871,7 @@
     <dependency ref="referencing==0.37.0">
       <dependency ref="attrs==25.4.0"/>
       <dependency ref="rpds-py==0.27.1"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
       <dependency ref="six==1.17.0"/>
@@ -848,6 +887,7 @@
     <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
     <dependency ref="types-python-dateutil==2.9.0.20251008"/>
+    <dependency ref="typing_extensions==4.15.0"/>
     <dependency ref="uri-template==1.3.0"/>
     <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
index 77f811b8..0cb489bc 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.json.bin
@@ -891,6 +891,53 @@
       "type": "library",
       "version": "2.9.0.20251008"
     },
+    {
+      "bom-ref": "typing_extensions==4.15.0",
+      "description": "Backported and Experimental Type Hints for Python 3.9+",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://typing-extensions.readthedocs.io/"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://github.com/python/typing_extensions/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Q & A",
+          "type": "other",
+          "url": "https://github.com/python/typing/discussions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Changes",
+          "type": "release-notes",
+          "url": "https://github.com/python/typing_extensions/blob/main/CHANGELOG.md"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Repository",
+          "type": "vcs",
+          "url": "https://github.com/python/typing_extensions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Home",
+          "type": "website",
+          "url": "https://github.com/python/typing_extensions"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "PSF-2.0"
+          }
+        }
+      ],
+      "name": "typing_extensions",
+      "purl": "pkg:pypi/typing-extensions@4.15.0",
+      "type": "library",
+      "version": "4.15.0"
+    },
     {
       "bom-ref": "uri-template==1.3.0",
       "description": "RFC 6570 URI Template Processor",
@@ -990,7 +1037,8 @@
         "packageurl-python==0.17.5",
         "py-serializable==2.1.0",
         "referencing==0.37.0",
-        "sortedcontainers==2.4.0"
+        "sortedcontainers==2.4.0",
+        "typing_extensions==4.15.0"
       ],
       "ref": "cyclonedx-python-lib==11.2.0"
     },
@@ -1076,7 +1124,8 @@
     {
       "dependsOn": [
         "attrs==25.4.0",
-        "rpds-py==0.27.1"
+        "rpds-py==0.27.1",
+        "typing_extensions==4.15.0"
       ],
       "ref": "referencing==0.37.0"
     },
@@ -1113,6 +1162,9 @@
     {
       "ref": "types-python-dateutil==2.9.0.20251008"
     },
+    {
+      "ref": "typing_extensions==4.15.0"
+    },
     {
       "ref": "uri-template==1.3.0"
     },
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
index 24019cad..ecb4633a 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.4.xml.bin
@@ -740,6 +740,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license>
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="release-notes">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
@@ -814,6 +851,7 @@
       <dependency ref="py-serializable==2.1.0"/>
       <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
@@ -860,6 +898,7 @@
     <dependency ref="referencing==0.37.0">
       <dependency ref="attrs==25.4.0"/>
       <dependency ref="rpds-py==0.27.1"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
       <dependency ref="six==1.17.0"/>
@@ -875,6 +914,7 @@
     <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
     <dependency ref="types-python-dateutil==2.9.0.20251008"/>
+    <dependency ref="typing_extensions==4.15.0"/>
     <dependency ref="uri-template==1.3.0"/>
     <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
index 378082b5..0b9dc09d 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.json.bin
@@ -891,6 +891,53 @@
       "type": "library",
       "version": "2.9.0.20251008"
     },
+    {
+      "bom-ref": "typing_extensions==4.15.0",
+      "description": "Backported and Experimental Type Hints for Python 3.9+",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://typing-extensions.readthedocs.io/"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://github.com/python/typing_extensions/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Q & A",
+          "type": "other",
+          "url": "https://github.com/python/typing/discussions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Changes",
+          "type": "release-notes",
+          "url": "https://github.com/python/typing_extensions/blob/main/CHANGELOG.md"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Repository",
+          "type": "vcs",
+          "url": "https://github.com/python/typing_extensions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Home",
+          "type": "website",
+          "url": "https://github.com/python/typing_extensions"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "PSF-2.0"
+          }
+        }
+      ],
+      "name": "typing_extensions",
+      "purl": "pkg:pypi/typing-extensions@4.15.0",
+      "type": "library",
+      "version": "4.15.0"
+    },
     {
       "bom-ref": "uri-template==1.3.0",
       "description": "RFC 6570 URI Template Processor",
@@ -990,7 +1037,8 @@
         "packageurl-python==0.17.5",
         "py-serializable==2.1.0",
         "referencing==0.37.0",
-        "sortedcontainers==2.4.0"
+        "sortedcontainers==2.4.0",
+        "typing_extensions==4.15.0"
       ],
       "ref": "cyclonedx-python-lib==11.2.0"
     },
@@ -1076,7 +1124,8 @@
     {
       "dependsOn": [
         "attrs==25.4.0",
-        "rpds-py==0.27.1"
+        "rpds-py==0.27.1",
+        "typing_extensions==4.15.0"
       ],
       "ref": "referencing==0.37.0"
     },
@@ -1113,6 +1162,9 @@
     {
       "ref": "types-python-dateutil==2.9.0.20251008"
     },
+    {
+      "ref": "typing_extensions==4.15.0"
+    },
     {
       "ref": "uri-template==1.3.0"
     },
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
index 8bbacfe2..74a817f6 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.5.xml.bin
@@ -750,6 +750,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license>
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="release-notes">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
@@ -824,6 +861,7 @@
       <dependency ref="py-serializable==2.1.0"/>
       <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
@@ -870,6 +908,7 @@
     <dependency ref="referencing==0.37.0">
       <dependency ref="attrs==25.4.0"/>
       <dependency ref="rpds-py==0.27.1"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
       <dependency ref="six==1.17.0"/>
@@ -885,6 +924,7 @@
     <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
     <dependency ref="types-python-dateutil==2.9.0.20251008"/>
+    <dependency ref="typing_extensions==4.15.0"/>
     <dependency ref="uri-template==1.3.0"/>
     <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
index 3975779c..f3a37ac6 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.json.bin
@@ -921,6 +921,54 @@
       "type": "library",
       "version": "2.9.0.20251008"
     },
+    {
+      "bom-ref": "typing_extensions==4.15.0",
+      "description": "Backported and Experimental Type Hints for Python 3.9+",
+      "externalReferences": [
+        {
+          "comment": "from packaging metadata Project-URL: Documentation",
+          "type": "documentation",
+          "url": "https://typing-extensions.readthedocs.io/"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Bug Tracker",
+          "type": "issue-tracker",
+          "url": "https://github.com/python/typing_extensions/issues"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Q & A",
+          "type": "other",
+          "url": "https://github.com/python/typing/discussions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Changes",
+          "type": "release-notes",
+          "url": "https://github.com/python/typing_extensions/blob/main/CHANGELOG.md"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Repository",
+          "type": "vcs",
+          "url": "https://github.com/python/typing_extensions"
+        },
+        {
+          "comment": "from packaging metadata Project-URL: Home",
+          "type": "website",
+          "url": "https://github.com/python/typing_extensions"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "acknowledgement": "declared",
+            "id": "PSF-2.0"
+          }
+        }
+      ],
+      "name": "typing_extensions",
+      "purl": "pkg:pypi/typing-extensions@4.15.0",
+      "type": "library",
+      "version": "4.15.0"
+    },
     {
       "bom-ref": "uri-template==1.3.0",
       "description": "RFC 6570 URI Template Processor",
@@ -1024,7 +1072,8 @@
         "packageurl-python==0.17.5",
         "py-serializable==2.1.0",
         "referencing==0.37.0",
-        "sortedcontainers==2.4.0"
+        "sortedcontainers==2.4.0",
+        "typing_extensions==4.15.0"
       ],
       "ref": "cyclonedx-python-lib==11.2.0"
     },
@@ -1110,7 +1159,8 @@
     {
       "dependsOn": [
         "attrs==25.4.0",
-        "rpds-py==0.27.1"
+        "rpds-py==0.27.1",
+        "typing_extensions==4.15.0"
       ],
       "ref": "referencing==0.37.0"
     },
@@ -1147,6 +1197,9 @@
     {
       "ref": "types-python-dateutil==2.9.0.20251008"
     },
+    {
+      "ref": "typing_extensions==4.15.0"
+    },
     {
       "ref": "uri-template==1.3.0"
     },
diff --git a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
index f04c37a4..a3e7a345 100644
--- a/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
+++ b/tests/_data/snapshots/environment/plain_with-extras_1.6.xml.bin
@@ -750,6 +750,43 @@
         </reference>
       </externalReferences>
     </component>
+    <component type="library" bom-ref="typing_extensions==4.15.0">
+      <name>typing_extensions</name>
+      <version>4.15.0</version>
+      <description>Backported and Experimental Type Hints for Python 3.9+</description>
+      <licenses>
+        <license acknowledgement="declared">
+          <id>PSF-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/typing-extensions@4.15.0</purl>
+      <externalReferences>
+        <reference type="documentation">
+          <url>https://typing-extensions.readthedocs.io/</url>
+          <comment>from packaging metadata Project-URL: Documentation</comment>
+        </reference>
+        <reference type="issue-tracker">
+          <url>https://github.com/python/typing_extensions/issues</url>
+          <comment>from packaging metadata Project-URL: Bug Tracker</comment>
+        </reference>
+        <reference type="other">
+          <url>https://github.com/python/typing/discussions</url>
+          <comment>from packaging metadata Project-URL: Q &amp; A</comment>
+        </reference>
+        <reference type="release-notes">
+          <url>https://github.com/python/typing_extensions/blob/main/CHANGELOG.md</url>
+          <comment>from packaging metadata Project-URL: Changes</comment>
+        </reference>
+        <reference type="vcs">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Repository</comment>
+        </reference>
+        <reference type="website">
+          <url>https://github.com/python/typing_extensions</url>
+          <comment>from packaging metadata Project-URL: Home</comment>
+        </reference>
+      </externalReferences>
+    </component>
     <component type="library" bom-ref="uri-template==1.3.0">
       <name>uri-template</name>
       <version>1.3.0</version>
@@ -824,6 +861,7 @@
       <dependency ref="py-serializable==2.1.0"/>
       <dependency ref="referencing==0.37.0"/>
       <dependency ref="sortedcontainers==2.4.0"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="defusedxml==0.7.1"/>
     <dependency ref="fqdn==1.5.1"/>
@@ -870,6 +908,7 @@
     <dependency ref="referencing==0.37.0">
       <dependency ref="attrs==25.4.0"/>
       <dependency ref="rpds-py==0.27.1"/>
+      <dependency ref="typing_extensions==4.15.0"/>
     </dependency>
     <dependency ref="rfc3339-validator==0.1.4">
       <dependency ref="six==1.17.0"/>
@@ -885,6 +924,7 @@
     <dependency ref="six==1.17.0"/>
     <dependency ref="sortedcontainers==2.4.0"/>
     <dependency ref="types-python-dateutil==2.9.0.20251008"/>
+    <dependency ref="typing_extensions==4.15.0"/>
     <dependency ref="uri-template==1.3.0"/>
     <dependency ref="webcolors==24.11.1"/>
     <dependency ref="zipp==3.20.2">

From 75d60fd269df386fe1dad856e08db23496245d90 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:19:13 +0200
Subject: [PATCH 08/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index ee7c529f..f6a9153b 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -48,7 +48,6 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
 
 
 def pip_install(*args: str) -> None:
-    site = None
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility

From b80bff5aa9d12c8fe85b9daabee1cd115aa33b58 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:34:25 +0200
Subject: [PATCH 09/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/__init__.py                                   | 4 ++--
 tests/_data/infiles/environment/with-extras/init.py | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/tests/__init__.py b/tests/__init__.py
index 75a96819..06029472 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -28,11 +28,11 @@
 
 from cyclonedx_py import __version__ as __this_version
 
-RECREATE_SNAPSHOTS = '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
+RECREATE_SNAPSHOTS = True # '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
 if RECREATE_SNAPSHOTS:
     print('!!! WILL RECREATE ALL SNAPSHOTS !!!', file=sys.stderr)
 
-INIT_TESTBEDS = '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
+INIT_TESTBEDS = True # '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
 if INIT_TESTBEDS:
     print('!!! WILL INIT TESTBEDS !!!', file=sys.stderr)
 
diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index f6a9153b..d93345b6 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -71,7 +71,8 @@ def main() -> None:
         'importlib-resources>=1.4.0',
         'pkgutil-resolve-name>=1.3.10',
         'zipp>=3.1.0',
-        'jsonschema-specifications==2023.03.6',
+        'jsonschema-specifications>=2023.03.6',
+        'typing_extensions>=4'
     )
 
 

From a0063a81cdd95a1941357adec05283e0b0ec65f4 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:35:18 +0200
Subject: [PATCH 10/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/__init__.py b/tests/__init__.py
index 06029472..75a96819 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -28,11 +28,11 @@
 
 from cyclonedx_py import __version__ as __this_version
 
-RECREATE_SNAPSHOTS = True # '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
+RECREATE_SNAPSHOTS = '1' == getenv('CDX_TEST_RECREATE_SNAPSHOTS')
 if RECREATE_SNAPSHOTS:
     print('!!! WILL RECREATE ALL SNAPSHOTS !!!', file=sys.stderr)
 
-INIT_TESTBEDS = True # '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
+INIT_TESTBEDS = '1' != getenv('CDX_TEST_SKIP_INIT_TESTBEDS')
 if INIT_TESTBEDS:
     print('!!! WILL INIT TESTBEDS !!!', file=sys.stderr)
 

From 3b60356becb76422b1b5c8bf4d73c2967ab6e99d Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:50:14 +0200
Subject: [PATCH 11/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index d93345b6..14517ac9 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -52,7 +52,7 @@ def pip_install(*args: str) -> None:
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility
         '--only-binary=:all:',
-        '-t', join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
+        '-t', f'{env_dir}/lib/python{version_info[0]}.{version_info[1]}/site-packages',
         '-c', constraint_file,  # needed for reproducibility
         *args,
     )

From fdab0dd31328003ee7498737544d2f435cfabd4d Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:51:13 +0200
Subject: [PATCH 12/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index 14517ac9..d93345b6 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -52,7 +52,7 @@ def pip_install(*args: str) -> None:
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility
         '--only-binary=:all:',
-        '-t', f'{env_dir}/lib/python{version_info[0]}.{version_info[1]}/site-packages',
+        '-t', join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
         '-c', constraint_file,  # needed for reproducibility
         *args,
     )

From 35a79a1456ffb8fe4643b7e0098c3dc46dabdc05 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 13:51:56 +0200
Subject: [PATCH 13/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index d93345b6..8f29b906 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -50,7 +50,7 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
 def pip_install(*args: str) -> None:
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
-        '--python-version=3.14',  # needed for compatibility
+        '--python-version=3.14',  # needed for compatibility/reproducibility
         '--only-binary=:all:',
         '-t', join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
         '-c', constraint_file,  # needed for reproducibility

From 3b76e803fbb48a9327b2dd748c9bb53f02e9708d Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:02:30 +0200
Subject: [PATCH 14/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index 8f29b906..def07aef 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -48,11 +48,14 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
 
 
 def pip_install(*args: str) -> None:
+    t = join(env_dir, 'Lib', 'site-packages') \
+      if os_name == 'nt' \
+      else join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages')
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility/reproducibility
         '--only-binary=:all:',
-        '-t', join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
+        '-t', t,
         '-c', constraint_file,  # needed for reproducibility
         *args,
     )

From d92b28b0562aecf3dfefc79eec3c8c000925b005 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:41:55 +0200
Subject: [PATCH 15/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .../infiles/environment/with-extras/init.py   | 25 +++++++++++++------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index def07aef..520b144b 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -20,7 +20,7 @@
 """
 
 from os import name as os_name
-from os.path import dirname, join
+from os.path import dirname, isdir, join
 from subprocess import PIPE, CompletedProcess, run  # nosec:B404
 from sys import argv, executable, version_info
 from typing import Any
@@ -44,30 +44,38 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
     res = run(call, **kwargs, cwd=this_dir, shell=False)  # nosec:B603
     if res.returncode != 0:
         raise RuntimeError('process failed')
+
     return res
 
 
-def pip_install(*args: str) -> None:
-    t = join(env_dir, 'Lib', 'site-packages') \
-      if os_name == 'nt' \
-      else join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages')
+def pip_install(*args: str, side_packages_dir: str) -> None:
+    if side_packages_dir is None:
+        raise RuntimeError()
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility/reproducibility
         '--only-binary=:all:',
-        '-t', t,
+        '--target', side_packages_dir,
         '-c', constraint_file,  # needed for reproducibility
         *args,
     )
 
 
 def main() -> None:
-    EnvBuilder(
+    eb = EnvBuilder(
         system_site_packages=False,
         symlinks=os_name != 'nt',
         with_pip=False,
     ).create(env_dir)
 
+    try:
+        spd = next(filter(isdir, (
+            join(env_dir, 'lib', f'python{version_info[0]}.{version_info[1]}', 'site-packages'),
+            join(env_dir, 'Lib', 'site-packages')  # windows ?
+        )))
+    except StopIteration:
+        raise RuntimeError('site-packages not found')
+
     pip_install(
         'cyclonedx-python-lib[xml-validation,json-validation]==11.2',
         # additionals for reproducibility foo
@@ -75,7 +83,8 @@ def main() -> None:
         'pkgutil-resolve-name>=1.3.10',
         'zipp>=3.1.0',
         'jsonschema-specifications>=2023.03.6',
-        'typing_extensions>=4'
+        'typing_extensions>=4',
+        side_packages_dir=spd
     )
 
 

From 5774fbcc5bb8c9b1cfdd48e774441dac892107f6 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:47:40 +0200
Subject: [PATCH 16/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index 520b144b..85ba36cf 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -62,7 +62,7 @@ def pip_install(*args: str, side_packages_dir: str) -> None:
 
 
 def main() -> None:
-    eb = EnvBuilder(
+    EnvBuilder(
         system_site_packages=False,
         symlinks=os_name != 'nt',
         with_pip=False,

From 91ef556e973d147bd718b0d8f30ce1d94a758945 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:49:35 +0200
Subject: [PATCH 17/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index 85ba36cf..3de95680 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -48,7 +48,7 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
     return res
 
 
-def pip_install(*args: str, side_packages_dir: str) -> None:
+def pip_install(*args: str, site_packages_dir: str) -> None:
     if side_packages_dir is None:
         raise RuntimeError()
     pip_run(
@@ -84,7 +84,7 @@ def main() -> None:
         'zipp>=3.1.0',
         'jsonschema-specifications>=2023.03.6',
         'typing_extensions>=4',
-        side_packages_dir=spd
+        site_packages_dir=spd
     )
 
 

From add3976c1783b81e7b2e8958bc49647b4e3bcfb4 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:53:58 +0200
Subject: [PATCH 18/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index 3de95680..c84920b8 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -55,7 +55,7 @@ def pip_install(*args: str, site_packages_dir: str) -> None:
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility/reproducibility
         '--only-binary=:all:',
-        '--target', side_packages_dir,
+        '--target', site_packages_dir,
         '-c', constraint_file,  # needed for reproducibility
         *args,
     )

From 7f95335d05d00450521d70f624e11b8be5a23e19 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Thu, 16 Oct 2025 14:57:22 +0200
Subject: [PATCH 19/19] bump

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 tests/_data/infiles/environment/with-extras/init.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tests/_data/infiles/environment/with-extras/init.py b/tests/_data/infiles/environment/with-extras/init.py
index c84920b8..a50cc666 100644
--- a/tests/_data/infiles/environment/with-extras/init.py
+++ b/tests/_data/infiles/environment/with-extras/init.py
@@ -49,8 +49,6 @@ def pip_run(*args: str, **kwargs: Any) -> CompletedProcess:
 
 
 def pip_install(*args: str, site_packages_dir: str) -> None:
-    if side_packages_dir is None:
-        raise RuntimeError()
     pip_run(
         'install', '--require-virtualenv', '--no-input', '--progress-bar=off', '--no-color',
         '--python-version=3.14',  # needed for compatibility/reproducibility