I'm maintaining a Python library and considering whether I should generate a Software Bill of Materials (SBOM) for it. However, my pyproject.toml defines dependencies using bounded version ranges (e.g., >=1.0, <=2.0), meaning that the exact versions used can vary depending on the environment.

My main questions are:

1. Is it necessary to generate an SBOM for a library when dependencies are defined with version ranges instead of exact versions?

2. How should I generate the SBOM? Should it be generated without resolving exact versions (only listing direct dependencies as specified in pyproject.toml)? Or should it include resolved exact versions along with transitive dependencies?