CycloneDX
diff --git a/‎HISTORY.md
+5 b/‎HISTORY.md
+5
diff --git a/‎composer.json
+1-1 b/‎composer.json
+1-1
diff --git a/‎demo/laravel-7.12.0/README.md
+1-5 b/‎demo/laravel-7.12.0/README.md
+1-5
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Added
+  * The resulting SBoM hold ExternalReferences as fetched from package descriptions. (via [#145]) 
+
+[#145]: https://github.com/CycloneDX/cyclonedx-php-composer/pull/145
+
 ## 3.8.0 - 2021-11-30
 
 * Fixed
 
@@ -28,7 +28,7 @@
     "require": {
         "php": "^7.3 || ^8.0",
         "composer-plugin-api": "^2.0",
-        "cyclonedx/cyclonedx-library": "^1.0",
+        "cyclonedx/cyclonedx-library": "^1.2",
         "package-url/packageurl-php": "^1.0"
     },
     "require-dev": {
 
@@ -55,11 +55,7 @@ Run one of these from the demo directory:
 Lock-file should stay in a certain state, after updating dependencies.
 
 Upgrade the `composer.lock` tile to the latest changes to the plugin via:
+1. downgrade composer to v2: `composer self-update -- 2.0.0`
 1. run `composer -dproject update 'cyclonedx/cyclonedx-php-composer'`
-2. revert in the `composer.lock` some setup 
-   * for package `cyclonedx/cyclonedx-php-composer`:
-     * set `version` to `dev-master`
-     * delete the `dist.reference`
-   * set `plugin-api-version` to `2.0.0`
 
 Then re-generate all results as shown in section above.