File Explorer

/var/lang/lib/node_modules/npm/man/man1
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
70 files
npm-sbom.18.8 KB · 315 lines
1.TH "NPM-SBOM" "1" "February 2026" "NPM@11.11.0" ""2.SH "NAME"3\fBnpm-sbom\fR - Generate a Software Bill of Materials (SBOM)4.SS "Synopsis"5.P6.RS 27.nf8npm sbom9.fi10.RE11.SS "Description"12.P13The \fBnpm sbom\fR command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either \fBSPDX\fR \fI\(lahttps://spdx.dev/\(ra\fR or \fBCycloneDX\fR \fI\(lahttps://cyclonedx.org/\(ra\fR format.14.SS "Example CycloneDX SBOM"15.P16.RS 217.nf18{19  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",20  "bomFormat": "CycloneDX",21  "specVersion": "1.5",22  "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",23  "version": 1,24  "metadata": {25    "timestamp": "2023-09-01T00:00:00.001Z",26    "lifecycles": \[lB]27      {28        "phase": "build"29      }30    \[rB],31    "tools": \[lB]32      {33        "vendor": "npm",34        "name": "cli",35        "version": "10.1.0"36      }37    \[rB],38    "component": {39      "bom-ref": "simple@1.0.0",40      "type": "library",41      "name": "simple",42      "version": "1.0.0",43      "scope": "required",44      "author": "John Doe",45      "description": "simple react app",46      "purl": "pkg:npm/simple@1.0.0",47      "properties": \[lB]48        {49          "name": "cdx:npm:package:path",50          "value": ""51        }52      \[rB],53      "externalReferences": \[lB]\[rB],54      "licenses": \[lB]55        {56          "license": {57            "id": "MIT"58          }59        }60      \[rB]61    }62  },63  "components": \[lB]64    {65      "bom-ref": "lodash@4.17.21",66      "type": "library",67      "name": "lodash",68      "version": "4.17.21",69      "scope": "required",70      "author": "John-David Dalton",71      "description": "Lodash modular utilities.",72      "purl": "pkg:npm/lodash@4.17.21",73      "properties": \[lB]74        {75          "name": "cdx:npm:package:path",76          "value": "node_modules/lodash"77        }78      \[rB],79      "externalReferences": \[lB]80        {81          "type": "distribution",82          "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"83        },84        {85          "type": "vcs",86          "url": "git+https://github.com/lodash/lodash.git"87        },88        {89          "type": "website",90          "url": "https://lodash.com/"91        },92        {93          "type": "issue-tracker",94          "url": "https://github.com/lodash/lodash/issues"95        }96      \[rB],97      "hashes": \[lB]98        {99          "alg": "SHA-512",100          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"101        }102      \[rB],103      "licenses": \[lB]104        {105          "license": {106            "id": "MIT"107          }108        }109      \[rB]110    }111  \[rB],112  "dependencies": \[lB]113    {114      "ref": "simple@1.0.0",115      "dependsOn": \[lB]116        "lodash@4.17.21"117      \[rB]118    },119    {120      "ref": "lodash@4.17.21",121      "dependsOn": \[lB]\[rB]122    }123  \[rB]124}125.fi126.RE127.SS "Example SPDX SBOM"128.P129.RS 2130.nf131{132  "spdxVersion": "SPDX-2.3",133  "dataLicense": "CC0-1.0",134  "SPDXID": "SPDXRef-DOCUMENT",135  "name": "simple@1.0.0",136  "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",137  "creationInfo": {138    "created": "2023-09-01T00:00:00.001Z",139    "creators": \[lB]140      "Tool: npm/cli-10.1.0"141    \[rB]142  },143  "documentDescribes": \[lB]144    "SPDXRef-Package-simple-1.0.0"145  \[rB],146  "packages": \[lB]147    {148      "name": "simple",149      "SPDXID": "SPDXRef-Package-simple-1.0.0",150      "versionInfo": "1.0.0",151      "packageFileName": "",152      "description": "simple react app",153      "primaryPackagePurpose": "LIBRARY",154      "downloadLocation": "NOASSERTION",155      "filesAnalyzed": false,156      "homepage": "NOASSERTION",157      "licenseDeclared": "MIT",158      "externalRefs": \[lB]159        {160          "referenceCategory": "PACKAGE-MANAGER",161          "referenceType": "purl",162          "referenceLocator": "pkg:npm/simple@1.0.0"163        }164      \[rB]165    },166    {167      "name": "lodash",168      "SPDXID": "SPDXRef-Package-lodash-4.17.21",169      "versionInfo": "4.17.21",170      "packageFileName": "node_modules/lodash",171      "description": "Lodash modular utilities.",172      "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",173      "filesAnalyzed": false,174      "homepage": "https://lodash.com/",175      "licenseDeclared": "MIT",176      "externalRefs": \[lB]177        {178          "referenceCategory": "PACKAGE-MANAGER",179          "referenceType": "purl",180          "referenceLocator": "pkg:npm/lodash@4.17.21"181        }182      \[rB],183      "checksums": \[lB]184        {185          "algorithm": "SHA512",186          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"187        }188      \[rB]189    }190  \[rB],191  "relationships": \[lB]192    {193      "spdxElementId": "SPDXRef-DOCUMENT",194      "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",195      "relationshipType": "DESCRIBES"196    },197    {198      "spdxElementId": "SPDXRef-Package-simple-1.0.0",199      "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",200      "relationshipType": "DEPENDS_ON"201    }202  \[rB]203}204.fi205.RE206.SS "Package lock only mode"207.P208If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded. This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).209.SS "Configuration"210.SS "\fBomit\fR"211.RS 0212.IP \(bu 4213Default: 'dev' if the \fBNODE_ENV\fR environment variable is set to 'production'; otherwise, empty.214.IP \(bu 4215Type: "dev", "optional", or "peer" (can be set multiple times)216.RE 0217 218.P219Dependency types to omit from the installation tree on disk.220.P221Note that these dependencies \fIare\fR still resolved and added to the \fBpackage-lock.json\fR or \fBnpm-shrinkwrap.json\fR file. They are just not physically installed on disk.222.P223If a package type appears in both the \fB--include\fR and \fB--omit\fR lists, then it will be included.224.P225If the resulting omit list includes \fB'dev'\fR, then the \fBNODE_ENV\fR environment variable will be set to \fB'production'\fR for all lifecycle scripts.226.SS "\fBpackage-lock-only\fR"227.RS 0228.IP \(bu 4229Default: false230.IP \(bu 4231Type: Boolean232.RE 0233 234.P235If set to true, the current operation will only use the \fBpackage-lock.json\fR, ignoring \fBnode_modules\fR.236.P237For \fBupdate\fR this means only the \fBpackage-lock.json\fR will be updated, instead of checking \fBnode_modules\fR and downloading dependencies.238.P239For \fBlist\fR this means the output will be based on the tree described by the \fBpackage-lock.json\fR, rather than the contents of \fBnode_modules\fR.240.SS "\fBsbom-format\fR"241.RS 0242.IP \(bu 4243Default: null244.IP \(bu 4245Type: "cyclonedx" or "spdx"246.RE 0247 248.P249SBOM format to use when generating SBOMs.250.SS "\fBsbom-type\fR"251.RS 0252.IP \(bu 4253Default: "library"254.IP \(bu 4255Type: "library", "application", or "framework"256.RE 0257 258.P259The type of package described by the generated SBOM. For SPDX, this is the value for the \fBprimaryPackagePurpose\fR field. For CycloneDX, this is the value for the \fBtype\fR field.260.SS "\fBworkspace\fR"261.RS 0262.IP \(bu 4263Default:264.IP \(bu 4265Type: String (can be set multiple times)266.RE 0267 268.P269Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option.270.P271Valid values for the \fBworkspace\fR config are either:272.RS 0273.IP \(bu 4274Workspace names275.IP \(bu 4276Path to a workspace directory277.IP \(bu 4278Path to a parent workspace directory (will result in selecting all workspaces within that folder)279.RE 0280 281.P282When set for the \fBnpm init\fR command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project.283.P284This value is not exported to the environment for child processes.285.SS "\fBworkspaces\fR"286.RS 0287.IP \(bu 4288Default: null289.IP \(bu 4290Type: null or Boolean291.RE 0292 293.P294Set to true to run the command in the context of \fBall\fR configured workspaces.295.P296Explicitly setting this to false will cause commands like \fBinstall\fR to ignore workspaces altogether. When not set explicitly:297.RS 0298.IP \(bu 4299Commands that operate on the \fBnode_modules\fR tree (install, update, etc.) will link workspaces into the \fBnode_modules\fR folder. - Commands that do other things (test, exec, publish, etc.) will operate on the root project, \fIunless\fR one or more workspaces are specified in the \fBworkspace\fR config.300.RE 0301 302.P303This value is not exported to the environment for child processes.304.SH "SEE ALSO"305.RS 0306.IP \(bu 4307npm help "package spec"308.IP \(bu 4309npm help "dependency selectors"310.IP \(bu 4311\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR312.IP \(bu 4313npm help workspaces314.RE 0315