npm-sbom
Generate a Software Bill of Materials for the project
TLDR
Generate SBOM in default format
$ npm sbom
Generate in SPDX format$ npm sbom --sbom-format spdx
Generate in CycloneDX format$ npm sbom --sbom-format cyclonedx
Output to file$ npm sbom --sbom-format cyclonedx > [sbom.json]
Omit dev dependencies$ npm sbom --omit dev
Use only package-lock.json (ignore node_modules)$ npm sbom --package-lock-only
SYNOPSIS
npm sbom [options]
DESCRIPTION
npm sbom generates a Software Bill of Materials (SBOM) listing all dependencies of the current project. It supports the SPDX and CycloneDX formats, which are industry standards for documenting software supply chain components. The output includes package names, versions, licenses, and dependency relationships.
PARAMETERS
--sbom-format FORMAT
Output format: spdx or cyclonedx.--omit TYPE
Omit dependency type (dev, optional, peer).--package-lock-only
Use package-lock.json only, ignoring node_modules.--workspace name
Run in the context of a specific workspace.--workspaces
Run for all configured workspaces.
CAVEATS
Requires npm 9.5.0 or later. A package-lock.json or node_modules must exist. The --sbom-format option is required for usable output.
