Scroll to navigation

NPM-SBOM(1) General Commands Manual NPM-SBOM(1)

NAME

npm-sbom

Synopsis

<!-- AUTOGENERATED USAGE DESCRIPTIONS -->

Description

The npm sbom command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project.
SBOMs can be generated in either SPDX or CycloneDX format.

Example CycloneDX SBOM

{


  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",


  "bomFormat": "CycloneDX",


  "specVersion": "1.5",


  "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",


  "version": 1,


  "metadata": {


    "timestamp": "2023-09-01T00:00:00.001Z",


    "lifecycles": [


      {


        "phase": "build"


      }


    ],


    "tools": [


      {


        "vendor": "npm",


        "name": "cli",


        "version": "10.1.0"


      }


    ],


    "component": {


      "bom-ref": "simple@1.0.0",


      "type": "library",


      "name": "simple",


      "version": "1.0.0",


      "scope": "required",


      "author": "John Doe",


      "description": "simple react app",


      "purl": "pkg:npm/simple@1.0.0",


      "properties": [


        {


          "name": "cdx:npm:package:path",


          "value": ""


        }


      ],


      "externalReferences": [],


      "licenses": [


        {


          "license": {


            "id": "MIT"


          }


        }


      ]


    }


  },


  "components": [


    {


      "bom-ref": "lodash@4.17.21",


      "type": "library",


      "name": "lodash",


      "version": "4.17.21",


      "scope": "required",


      "author": "John-David Dalton",


      "description": "Lodash modular utilities.",


      "purl": "pkg:npm/lodash@4.17.21",


      "properties": [


        {


          "name": "cdx:npm:package:path",


          "value": "node_modules/lodash"


        }


      ],


      "externalReferences": [


        {


          "type": "distribution",


          "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"


        },


        {


          "type": "vcs",


          "url": "git+https://github.com/lodash/lodash.git"


        },


        {


          "type": "website",


          "url": "https://lodash.com/"


        },


        {


          "type": "issue-tracker",


          "url": "https://github.com/lodash/lodash/issues"


        }


      ],


      "hashes": [


        {


          "alg": "SHA-512",


          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"


        }


      ],


      "licenses": [


        {


          "license": {


            "id": "MIT"


          }


        }


      ]


    }


  ],


  "dependencies": [


    {


      "ref": "simple@1.0.0",


      "dependsOn": [


        "lodash@4.17.21"


      ]


    },


    {


      "ref": "lodash@4.17.21",


      "dependsOn": []


    }


  ]
}

Example SPDX SBOM

{


  "spdxVersion": "SPDX-2.3",


  "dataLicense": "CC0-1.0",


  "SPDXID": "SPDXRef-DOCUMENT",


  "name": "simple@1.0.0",


  "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",


  "creationInfo": {


    "created": "2023-09-01T00:00:00.001Z",


    "creators": [


      "Tool: npm/cli-10.1.0"


    ]


  },


  "documentDescribes": [


    "SPDXRef-Package-simple-1.0.0"


  ],


  "packages": [


    {


      "name": "simple",


      "SPDXID": "SPDXRef-Package-simple-1.0.0",


      "versionInfo": "1.0.0",


      "packageFileName": "",


      "description": "simple react app",


      "primaryPackagePurpose": "LIBRARY",


      "downloadLocation": "NOASSERTION",


      "filesAnalyzed": false,


      "homepage": "NOASSERTION",


      "licenseDeclared": "MIT",


      "externalRefs": [


        {


          "referenceCategory": "PACKAGE-MANAGER",


          "referenceType": "purl",


          "referenceLocator": "pkg:npm/simple@1.0.0"


        }


      ]


    },


    {


      "name": "lodash",


      "SPDXID": "SPDXRef-Package-lodash-4.17.21",


      "versionInfo": "4.17.21",


      "packageFileName": "node_modules/lodash",


      "description": "Lodash modular utilities.",


      "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",


      "filesAnalyzed": false,


      "homepage": "https://lodash.com/",


      "licenseDeclared": "MIT",


      "externalRefs": [


        {


          "referenceCategory": "PACKAGE-MANAGER",


          "referenceType": "purl",


          "referenceLocator": "pkg:npm/lodash@4.17.21"


        }


      ],


      "checksums": [


        {


          "algorithm": "SHA512",


          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"


        }


      ]


    }


  ],


  "relationships": [


    {


      "spdxElementId": "SPDXRef-DOCUMENT",


      "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",


      "relationshipType": "DESCRIBES"


    },


    {


      "spdxElementId": "SPDXRef-Package-simple-1.0.0",


      "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",


      "relationshipType": "DEPENDS_ON"


    }


  ]
}

Package lock only mode

If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded.
This means that information from the package.json files of your dependencies will not be included in the result set (e.g.
description, homepage, engines).

Configuration

<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->

See Also

  • package spec
  • dependency selectors
  • package.json
  • workspaces

May 2026 11.13.0