Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@cyclonedx/cyclonedx-npm

CycloneDX450.8kApache-2.03.0.0

Create CycloneDX Software Bill of Materials (SBOM) from NPM projects.

CycloneDX, SBOM, BOM, inventory, bill-of-materials, software-bill-of-materials, component, dependency, package-url, PURL, spdx, node, npm

readme

CycloneDX SBOM for npm

shield_npm-version shield_gh-workflow-test shield_coverage shield_ossf-best-practices shield_license
shield_website shield_slack shield_groups shield_twitter-follow

Create CycloneDX Software Bill of Materials (SBOM) from npm projects.
This is probably the most accurate, complete SBOM generator for npm-based projects.

Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following cdx:npm Namespace Taxonomy .

Requirements

  • node >= 20.18.0
  • npm >= 9

However, there are older versions of this tool that support

  • Node.js v14 or later
  • NPM v6 or later

Installation

There are multiple methods for installing this tool:

  • As a global tool ala npm:

    npm install --global @cyclonedx/cyclonedx-npm

  • As a global tool ala npx:

    npx --package @cyclonedx/cyclonedx-npm --call exit

  • As a development dependency of the current project:

    npm install --save-dev @cyclonedx/cyclonedx-npm

Usage

Depending on the installation method, the following describes the proper usage:

  • If installed as a global tool ala npm:

    cyclonedx-npm --help

  • If installed as a global tool ala npx:
    — or —
    If installed as a development dependency of the current projects:

    npx @cyclonedx/cyclonedx-npm --help

The help page:

Usage: cyclonedx-npm [options] [--] [<package-manifest>]

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

Arguments:
  <package-manifest>              Path to project's manifest file.
                                  (default: "package.json" file in current working directory)

Options:
  --ignore-npm-errors             Whether to ignore errors of NPM.
                                  This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
                                  (default: false)
  --package-lock-only             Whether to only use the lock file, ignoring "node_modules".
                                  This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
                                  (default: false)
  --omit <type...>                Dependency types to omit from the installation tree.
                                  (can be set multiple times)
                                  (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
  -w, --workspace <workspace...>  Only include dependencies for specific workspaces.
                                  (can be set multiple times)
                                  This feature is experimental.
                                  (default: empty)
  --no-workspaces                 Do not include dependencies for workspaces.
                                  Default behaviour is to include dependencies for all configured workspaces.
                                  This cannot be used if workspaces have been explicitly defined using `--workspace`.
                                  This feature is experimental.
  --include-workspace-root        Include workspace root dependencies along with explicitly defined workspaces' dependencies. This can only be used if you have explicitly defined workspaces using `--workspace`.
                                  Default behaviour is to not include the workspace root when workspaces are explicitly defined using `--workspace`.
                                  This feature is experimental.
  --no-include-workspace-root     Do not include workspace root dependencies. This only has an effect if you have one or more workspaces configured in your project.
                                  This is useful if you want to include all dependencies for all workspaces without explicitly defining them with `--workspace` (default behaviour) but you do not want the workspace root dependencies included.
                                  This feature is experimental.
  --gather-license-texts          Search for license files in components and include them as license evidence.
                                  This feature is experimental.
                                  (default: false)
  --flatten-components            Whether to flatten the components.
                                  This means the actual nesting of node packages is not represented in the SBOM result.
                                  (default: false)
  --short-PURLs                   Omit all qualifiers from PackageURLs.
                                  This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
                                  (default: false)
  --sv, --spec-version <version>  Which version of CycloneDX spec to use.
                                  (choices: "1.2", "1.3", "1.4", "1.5", "1.6", default: "1.6")
  --output-reproducible           Whether to go the extra mile and make the output reproducible.
                                  This requires more resources, and might result in loss of time- and random-based-values.
                                  (env: BOM_REPRODUCIBLE)
  --of, --output-format <format>  Which output format to use.
                                  (choices: "JSON", "XML", default: "JSON")
  -o, --output-file <file>        Path to the output file.
                                  Set to "-" to write to STDOUT.
                                  (default: write to STDOUT)
  --validate                      Validate resulting BOM before outputting.
                                  Validation is skipped, if requirements not met. See the README.
  --no-validate                   Disable validation of resulting BOM.
  --mc-type <type>                Type of the main component.
                                  (choices: "application", "firmware", "library", default: "application")
  -v, --verbose                   Increase the verbosity of messages.
                                  Use multiple times to increase the verbosity even more.
  -V, --version                   output the version number
  -h, --help                      display help for command

Demo

For a demo of cyclonedx-npm see the demo projects.

How it works

This tool utilizes npm to collect evidences of installed packages/modules. Read more in the dedicated docs.

The appropriate npm executable is detected automatically, yet can be overridden with the environment variable npm_execpath.
Autodetect: If called from npm/npx context, then the current npm executable is utilized, otherwise it is managed by SHELL and PATH.

This tool does not do artificial deduplication. Therefore, if a component is installed multiple times, it appears multiple times in the SBOM result. Read more on the topic in the dedicated docs "Component Deduplication".

Internals

This tool utilizes the CycloneDX library to generate the actual data structures, and serialize and validate them.
Validation requires transitive optional dependencies.

This tool does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades. However, the CLI is stable - you may call it programmatically like:

const { execFileSync } = require('child_process')
const { constants: { MAX_LENGTH: BUFFER_MAX_LENGTH } } = require('buffer')
const sbom = JSON.parse(execFileSync(process.execPath, [
    '../path/to/this/package/bin/cyclonedx-npm-cli.js',
    '--output-format', 'JSON',
    '--output-file', '-'
    // additional CLI args
], { stdio: ['ignore', 'pipe', 'ignore'], encoding: 'buffer', maxBuffer: BUFFER_MAX_LENGTH }))

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

changelog

Changelog

All notable changes to this project will be documented in this file.

unreleased

3.0.0 - 2025-04-08

  • BREAKING Changes
  • Added
    • CLI switch -o as shorthand for --output-file (#1282 via #1288)
    • CLI switch --of as shorthand for --outout-format (#1282 via #1288)
    • CLI switch --sv as shorthand for --spec-version (#1282 via #1288)
  • Fixed
    • License gathering correctly ignores symlinks and directories (#1290 via #1291)
  • Runtime Dependencies
    • Raised @cyclonedx/cyclonedx-library@^8.0.0, was @^7.0.0 (via #1281)
    • Raised commander@^13.1.0, was @^10.0.0 (via #1281, #1288)
    • Raised normalize-package-data@^7.0.0, was @^3||^4||^5||^6 (via #1281)
  • Build
    • Use TypeScript v5.8.3 now, was v5.7.3 (via #1267, #1289)

2.1.0 - 2025-03-19

  • Added
    • Functionality for workspaces (#1126 via #1212)
      This introduces new CLI options/switches: --workspace, --no-workspaces, --[no-]include-workspace-root. See the docs for details.

2.0.0 - 2025-01-27

  • BREAKING Changes
    • CLI option --spec-version defaults to 1.6, was 1.4 (#1173 via #1258)
    • Emit $.metadata.tools as components (#1233 via #1235)
      This affects only CycloneDX spec-version 1.5 and later.
    • Emitted .purl values might be partially url-encoded (via #1235)
      This is caused by changes on underlying 3rd-party dependency packageurl-js.
    • Create dir for output file if not exists (#1241 via #1242)
      This is only a breaking change if you relied on non-existent result paths to cause errors.
  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^7.0.0, was @^6.11.0 (via #1235)

1.20.0 - 2025-01-13

  • Added
    • Official support for npm@11 (#1245 via #1249)
    • Capability to gather license text evidences (#256 via #1243)
      This feature can be controlled via CLI switch --gather-license-texts.
      This feature is experimental. This feature is disabled per default.
  • Dependencies
    • No longer directly depend on packageurl-js (via #1237)
  • Build

1.19.3 - 2024-07-15

  • Dependencies
    • Raised runtime dependency @cyclonedx/cyclonedx-library@^6.11.0, was @^6.6.0 (via #1205)
      This was done to incorporate non-breaking upstream changes and fixes.
  • Build
    • Use TypeScript v5.5.3 now, was v5.4.5 (via #1201)

1.19.2 - 2024-07-10

  • Fixed
    • CycloneDX externalReferences for vcs type (#1198 via #1202)
    • CycloneDX property cdx:npm:package:path's value on Windows systems (via #1203)

1.19.0 - 2024-06-01

  • Changed
    • Try to sanitize distribution URLs (via #1187, #1191)
  • Added
    • More debug output when it comes to package manifest loading (via #1189)
  • Misc
    • Added direct dependency hosted-git-info@^4||^5||^6||^7 (via #1191)
      This is also a transitive dependency via already existing direct dependency normalize-package-data.

1.18.0 - 2024-05-08

  • Added
    • Licenses acknowledgement might be populated (#1171 via #1183)
  • Dependencies
    • Raised dependency @cyclonedx/cyclonedx-library@^6.6.0, was @^6.5.0 (via #1183)

1.17.0 - 2024-04-23

Added support for CycloneDX Specification-1.6.

  • Changed
    • This tool explicitly supports CycloneDX Specification-1.6 now (via #1175)
  • Added
    • CLI switch --spec-version now supports value 1.6 to reflect CycloneDX Specification-1.6 (via #1175)
      Default value for that option is unchanged - still 1.4.
  • Build
    • Use TypeScript v5.4.5 now, was v5.4.2 (via #1167)

1.16.2 - 2024-03-19

  • Style
    • Applied latest code standards (via #1149)
  • Build
    • Use TypeScript v5.4.2 now, was v5.3.3 (via #1160)

1.16.1 - 2024-01-11

  • Fixed
    • Writing large results to buffered streams no longer drops data, but retries until success (via #1145)
  • Docs
    • Showcase programmatic CLI usage (#1142 via #1145)

1.16.0 - 2023-12-11

  • Change
    • If BOM result validation was explicitly requested and skipped, then a warning is shown (#1137 via #1138)
    • Log messages that explain program failures were set to "error" level (via #1138)

1.15.0 - 2023-12-10

  • Changed
    • Log output is less verbose, can be re-enabled via CLI switch --verbose (#158 via #1131)
      Warnings and errors are still displayed as before!
      This is considered a non-breaking change, since only informational logs and debug information is affected.
    • Hardened JSON imports (via #1132, #1135)
  • Added
    • CLI switch -v, --verbose to increase output verbosity (#158 via #1131)
      May be used multiple times, like -vvv.
    • More logs on info-level (via #1131)
    • More logs on debug-level (via #1131)
  • Build
    • Use TypeScript v5.3.3 now, was v5.3.2 (via #1133)

1.14.3 - 2023-12-01

  • Fixed
    • Added direct dependency packageurl-js as such (via #1122)
  • Docs
    • Fixed typos (via #1123)
  • Style
    • Applied latest code standards (via #1124)
  • Build
    • Use TypeScript v5.3.2 now, was v5.2.2 (via #1125)

1.14.2 - 2023-11-06

  • Fixed
    • SBOM results might have the externalReferences[].hashes populated (#1118 via #1120)
      The hashes might have wrongly appeared as components[].hashes before.
    • Components' distribution integrity hash of "sha256" is properly detected and populated in the SBOM result (#699 via #1121)
    • Components' distribution integrity hash of "sha384" is properly detected and populated in the SBOM result (#699 via #1121)
  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^6.1.0, was @^3||^4||^5||^6 (via #1120)

1.14.1 - 2023-09-18

  • Fixed
    • explicit allow engine npm@10 (via #1107)
      This is a bugfix for an existing feature (see #973).
  • Tests
    • added regression test for all supported NPM versions (via #1108)

1.14.0 - 2023-09-03

  • Added
    • SBOM result might have additional items in metadata.tools populated (#1100 via #1101)

1.13.3 - 2023-09-01

  • Docs
    • Tell about support for npm version 10 (#973 via #974)
  • Tests
    • Added tests for npm@10 (#973 via #974)

1.13.2 - 2023-08-28

  • Build
    • Use TypeScript v5.2.2 now, was v5.1.6 (via #1098)
  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^3||^4||^5||^6, was @^3||^4||^5 (via #1096)

1.13.1 - 2023-08-18

  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^3||^4||^5, was @^3||^4 (via #1042)
    • Raised dependency normalize-package-data@^3||^4||^5||^6, was @^3||^4||^5 (via #1043)

1.13.0 - 2023-07-07

Added support for CycloneDX Specification-1.5.

  • Changed
    • This tool supports CycloneDX Specification-1.5 now (#828 via #843)
  • Added
    • CLI switch --spec-version now supports value 1.5 to reflect CycloneDX Specification-1.5 (#828 via #843)
      Default value for that option is unchanged - still 1.4.
  • Build
    • Use TypeScript v5.1.6 now, was v5.1.3 (via #841)
  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^3||^4, was @^2.0.0 (#828 via #843)

1.12.1 - 2023-06-16

  • Build
    • Use TypeScript v5.1.3 now, was v5.0.4 (via #764)
    • Disabled TypeScript compilerOption esModuleInterop (via #736)
    • Disabled TypeScript compilerOption allowSyntheticDefaultImports (via #736)

1.12.0 - 2023-05-17

Based on OWASP Software Component Verification Standard for Software Bill of Materials (SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:

  • 2.15 — SPDX license expression detection improved (via #726)
  • 2.18 — SHA-1 integrity hash detection added (#699 via #735)

Details

  • Changes
    • SPDX license expression detection improved (via #726)
      Previously, some expressions were not properly detected, so they were marked as named-license in the SBOM results. They should be marked as expression, now.
  • Added
    • Added detection for package integrity with SHA-1 (#699 via #735)
  • Dependencies
    • Raised dependency @cyclonedx/cyclonedx-library@^2.0.0, was @^1.14.0 (via #726)

1.11.0 - 2023-04-27

  • Added
    • SBOM result might be validated (via #660)
      This feature is enabled per default and can be disabled via CLI switch --no-validate.
      Validation is skipped, if requirements are not met. Requires transitive optional dependencies

1.10.0 - 2023-04-17

  • Added
    • SBOM result might have component.scope=optional populated for OptionalDependencies (#645 via #657)
  • Fixed
    • DevDependencies that are also required by OptionalDependencies correctly have the property cdx:npm:package:development populated in SBOM results (#645 via #657)
    • DevDependencies that are also required by OptionalDependencies are correctly omitted from SBOM results, when the CLI switch for omitting "dev" and "optional" are set (#645 via #657)
  • Docs
    • Describe internal NPM executable detection in README (via #647)
  • Build
    • Use TypeScript v5.0.4 now, was v4.9.5 (via #638)

1.9.2 - 2023-03-30

  • Fixed
    • No longer omit components' version's buildID (#551 via #597)
      Fixed for NPM>=7 only. NPM6 omits this information in the first place, still.
  • Misc

1.9.1 - 2023-03-15

  • Docs
    • added section "How it works" to the README (via #563)

1.9.0 - 2023-03-03

  • Changed
    • Detected node packages' metadata are now normalized, before translation to SBOM components happens (#536 via #537)
      This might increase the quality of SBOM results.

1.8.0 - 2023-02-16

  • Added
    • SBOM result might have additional items in metadata.tools populated (#505 via #506)

1.7.5 - 2023-02-14

Maintenance release

1.7.4 - 2023-02-14

Maintenance release

1.7.3 - 2023-02-12

Maintenance release

  • Dependencies
    • Utilize commander ^10.0.0 now, was "^9.4.0 (via #431)
  • Build
    • Use TypeScript v4.9.5 now, was v4.9.4 (via #482)

1.7.2 - 2022-12-19

  • Changed
    • Enhanced randomness when generating a serialNumber (via #389)
  • Build
    • Use TypeScript v4.9.4 now, was v4.9.3 (via #366)

1.7.1 - 2022-12-16

Maintenance release

1.7.0 - 2022-12-15

  • Added
    • SBOM result might have serialNumber populated (#375 via #376, #377)

1.6.1 - 2022-11-19

Maintenance release

  • Docs
    • Enhanced documentation regarding NodeJS/NPM internals, package-dedupe and results (via #331)
  • Misc
    • Added test for flattened results (via #312)
  • Build
    • Use TypeScript v4.9.3 now, was v4.8.4 (via #333)

1.6.0 - 2022-11-12

  • Added
  • Misc
    • Added demos for flattened results (via #310)

1.5.0 - 2022-11-11

  • Added
    • Components' install path/location will be visible in the SBOM result (#305 via #308)

1.4.1 - 2022-11-06

  • Fixed
    • Components' "sha512" hash is properly detected and populated in the SBOM result (#302 via #303)

1.4.0 - 2022-11-05

  • Added
    • Enabled support for NPM v9 (#245 via #246)

1.3.0 - 2022-10-30

  • Fixed
    • Improved the NPM compatibility with --omit options (#254 via #259)
    • In case of an error, the exit code is guaranteed to be non-zero (via #260)
  • Misc
    • Added more debug output regarding NPM version detection (via #259)

1.2.0 - 2022-10-23

  • Changed
    • The existence of a lock file is no longer enforced, as long as there are other evidence (#247 via #248)

1.1.0 - 2022-10-22

  • Added
    • CLI got a new switch --short-PURLs (#225 via #226)
  • Fixed
    • Improved usability on Windows (#161 via #234)
  • Misc
    • Improved the error message when a lock files was missing (#196 via #231)
  • Build
    • Use TypeScript v4.8.4 now, was v4.8.3 (via #164)

1.0.0 - 2022-09-24

First major version (via #1)

Thanks to all the beta testers. Your efforts, feedback and contributions are appreciated.

1.0.0-beta.8 - 2022-09-10

  • Fixed
    • Run on Windows systems was improved for npm/npx sub-processes.
  • Misc
    • Style: imports are sorted, now.
  • Build
    • Use TypeScript v4.8.3 now, was v4.8.2.

1.0.0-beta.7 - 2022-09-07

  • Changed
    • PackageUrl(PURL) in JSON and XML results are as short as possible, but still precise.

1.0.0-beta.6 - 2022-09-06

  • Added
    • CLI switch --ignore-npm-errors to ignore/suppress NPM errors.

1.0.0-beta.5 - 2022-09-06

  • Added
    • Support for node 14 was enabled.
    • Support for handling when run via npx.
  • Docs
    • Improve installation instructions and usage instructions.
  • Misc
    • Improved test coverage.
  • Build
    • Use TypeScript v4.8.2 now, was v4.7.4.

1.0.0-beta.4 - 2022-08-25

  • Fixed
    • Run on Windows systems was fixed.
    • Improved error reporting.
    • Debug output was made clearer to understand.

1.0.0-beta.3 - 2022-08-23

  • Change
    • The package no longer pins dependencies via shrinkwrap.

1.0.0-beta.2 - 2022-08-21

  • Fixed
    • Debug output was made clearer to understand and less annoying.
  • Style
    • Improved internal typing for OmittableDependencyTypes.

1.0.0-beta.1 - 2022-08-20

  • First feature complete implementation.