npm sbom
The npm sbom command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX \(lahttps://spdx.dev/\(ra or CycloneDX \(lahttps://cyclonedx.org/\(ra format.
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
"version": 1,
"metadata": {
"timestamp": "2023-09-01T00:00:00.001Z",
"lifecycles": \[lB]
{
"phase": "build"
}
\[rB],
"tools": \[lB]
{
"vendor": "npm",
"name": "cli",
"version": "10.1.0"
}
\[rB],
"component": {
"bom-ref": "simple@1.0.0",
"type": "library",
"name": "simple",
"version": "1.0.0",
"scope": "required",
"author": "John Doe",
"description": "simple react app",
"purl": "pkg:npm/simple@1.0.0",
"properties": \[lB]
{
"name": "cdx:npm:package:path",
"value": ""
}
\[rB],
"externalReferences": \[lB]\[rB],
"licenses": \[lB]
{
"license": {
"id": "MIT"
}
}
\[rB]
}
},
"components": \[lB]
{
"bom-ref": "lodash@4.17.21",
"type": "library",
"name": "lodash",
"version": "4.17.21",
"scope": "required",
"author": "John-David Dalton",
"description": "Lodash modular utilities.",
"purl": "pkg:npm/lodash@4.17.21",
"properties": \[lB]
{
"name": "cdx:npm:package:path",
"value": "node_modules/lodash"
}
\[rB],
"externalReferences": \[lB]
{
"type": "distribution",
"url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
},
{
"type": "vcs",
"url": "git+https://github.com/lodash/lodash.git"
},
{
"type": "website",
"url": "https://lodash.com/"
},
{
"type": "issue-tracker",
"url": "https://github.com/lodash/lodash/issues"
}
\[rB],
"hashes": \[lB]
{
"alg": "SHA-512",
"content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
\[rB],
"licenses": \[lB]
{
"license": {
"id": "MIT"
}
}
\[rB]
}
\[rB],
"dependencies": \[lB]
{
"ref": "simple@1.0.0",
"dependsOn": \[lB]
"lodash@4.17.21"
\[rB]
},
{
"ref": "lodash@4.17.21",
"dependsOn": \[lB]\[rB]
}
\[rB]
}
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "simple@1.0.0",
"documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
"creationInfo": {
"created": "2023-09-01T00:00:00.001Z",
"creators": \[lB]
"Tool: npm/cli-10.1.0"
\[rB]
},
"documentDescribes": \[lB]
"SPDXRef-Package-simple-1.0.0"
\[rB],
"packages": \[lB]
{
"name": "simple",
"SPDXID": "SPDXRef-Package-simple-1.0.0",
"versionInfo": "1.0.0",
"packageFileName": "",
"description": "simple react app",
"primaryPackagePurpose": "LIBRARY",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "NOASSERTION",
"licenseDeclared": "MIT",
"externalRefs": \[lB]
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/simple@1.0.0"
}
\[rB]
},
{
"name": "lodash",
"SPDXID": "SPDXRef-Package-lodash-4.17.21",
"versionInfo": "4.17.21",
"packageFileName": "node_modules/lodash",
"description": "Lodash modular utilities.",
"downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"filesAnalyzed": false,
"homepage": "https://lodash.com/",
"licenseDeclared": "MIT",
"externalRefs": \[lB]
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/lodash@4.17.21"
}
\[rB],
"checksums": \[lB]
{
"algorithm": "SHA512",
"checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
\[rB]
}
\[rB],
"relationships": \[lB]
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Package-simple-1.0.0",
"relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
"relationshipType": "DEPENDS_ON"
}
\[rB]
}
If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded. This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).
Dependency types to omit from the installation tree on disk.
Note that these dependencies are still resolved and added to the package-lock.json or npm-shrinkwrap.json file. They are just not physically installed on disk.
If a package type appears in both the --include and --omit lists, then it will be included.
If the resulting omit list includes 'dev', then the NODE_ENV environment variable will be set to 'production' for all lifecycle scripts.
If set to true, the current operation will only use the package-lock.json, ignoring node_modules.
For update this means only the package-lock.json will be updated, instead of checking node_modules and downloading dependencies.
For list this means the output will be based on the tree described by the package-lock.json, rather than the contents of node_modules.
SBOM format to use when generating SBOMs.
The type of package described by the generated SBOM. For SPDX, this is the value for the primaryPackagePurpose field. For CycloneDX, this is the value for the type field.
Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option.
Valid values for the workspace config are either:
When set for the npm init command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project.
This value is not exported to the environment for child processes.
Set to true to run the command in the context of all configured workspaces.
Explicitly setting this to false will cause commands like install to ignore workspaces altogether. When not set explicitly:
This value is not exported to the environment for child processes.