1---
2title: npm-sbom
3section: 1
4description: Generate a Software Bill of Materials (SBOM)
5---
6
7### Synopsis
8
9```bash
10npm sbom
11```
12
13### Description
14
15The `npm sbom` command generates a Software Bill of Materials (SBOM) listing the
16dependencies for the current project. SBOMs can be generated in either
17[SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) format.
18
19### Example CycloneDX SBOM
20
21```json
22{
23  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
24  "bomFormat": "CycloneDX",
25  "specVersion": "1.5",
26  "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
27  "version": 1,
28  "metadata": {
29    "timestamp": "2023-09-01T00:00:00.001Z",
30    "lifecycles": [
31      {
32        "phase": "build"
33      }
34    ],
35    "tools": [
36      {
37        "vendor": "npm",
38        "name": "cli",
39        "version": "10.1.0"
40      }
41    ],
42    "component": {
43      "bom-ref": "simple@1.0.0",
44      "type": "library",
45      "name": "simple",
46      "version": "1.0.0",
47      "scope": "required",
48      "author": "John Doe",
49      "description": "simple react app",
50      "purl": "pkg:npm/simple@1.0.0",
51      "properties": [
52        {
53          "name": "cdx:npm:package:path",
54          "value": ""
55        }
56      ],
57      "externalReferences": [],
58      "licenses": [
59        {
60          "license": {
61            "id": "MIT"
62          }
63        }
64      ]
65    }
66  },
67  "components": [
68    {
69      "bom-ref": "lodash@4.17.21",
70      "type": "library",
71      "name": "lodash",
72      "version": "4.17.21",
73      "scope": "required",
74      "author": "John-David Dalton",
75      "description": "Lodash modular utilities.",
76      "purl": "pkg:npm/lodash@4.17.21",
77      "properties": [
78        {
79          "name": "cdx:npm:package:path",
80          "value": "node_modules/lodash"
81        }
82      ],
83      "externalReferences": [
84        {
85          "type": "distribution",
86          "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
87        },
88        {
89          "type": "vcs",
90          "url": "git+https://github.com/lodash/lodash.git"
91        },
92        {
93          "type": "website",
94          "url": "https://lodash.com/"
95        },
96        {
97          "type": "issue-tracker",
98          "url": "https://github.com/lodash/lodash/issues"
99        }
100      ],
101      "hashes": [
102        {
103          "alg": "SHA-512",
104          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
105        }
106      ],
107      "licenses": [
108        {
109          "license": {
110            "id": "MIT"
111          }
112        }
113      ]
114    }
115  ],
116  "dependencies": [
117    {
118      "ref": "simple@1.0.0",
119      "dependsOn": [
120        "lodash@4.17.21"
121      ]
122    },
123    {
124      "ref": "lodash@4.17.21",
125      "dependsOn": []
126    }
127  ]
128}
129```
130
131### Example SPDX SBOM
132
133```json
134{
135  "spdxVersion": "SPDX-2.3",
136  "dataLicense": "CC0-1.0",
137  "SPDXID": "SPDXRef-DOCUMENT",
138  "name": "simple@1.0.0",
139  "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
140  "creationInfo": {
141    "created": "2023-09-01T00:00:00.001Z",
142    "creators": [
143      "Tool: npm/cli-10.1.0"
144    ]
145  },
146  "documentDescribes": [
147    "SPDXRef-Package-simple-1.0.0"
148  ],
149  "packages": [
150    {
151      "name": "simple",
152      "SPDXID": "SPDXRef-Package-simple-1.0.0",
153      "versionInfo": "1.0.0",
154      "packageFileName": "",
155      "description": "simple react app",
156      "primaryPackagePurpose": "LIBRARY",
157      "downloadLocation": "NOASSERTION",
158      "filesAnalyzed": false,
159      "homepage": "NOASSERTION",
160      "licenseDeclared": "MIT",
161      "externalRefs": [
162        {
163          "referenceCategory": "PACKAGE-MANAGER",
164          "referenceType": "purl",
165          "referenceLocator": "pkg:npm/simple@1.0.0"
166        }
167      ]
168    },
169    {
170      "name": "lodash",
171      "SPDXID": "SPDXRef-Package-lodash-4.17.21",
172      "versionInfo": "4.17.21",
173      "packageFileName": "node_modules/lodash",
174      "description": "Lodash modular utilities.",
175      "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
176      "filesAnalyzed": false,
177      "homepage": "https://lodash.com/",
178      "licenseDeclared": "MIT",
179      "externalRefs": [
180        {
181          "referenceCategory": "PACKAGE-MANAGER",
182          "referenceType": "purl",
183          "referenceLocator": "pkg:npm/lodash@4.17.21"
184        }
185      ],
186      "checksums": [
187        {
188          "algorithm": "SHA512",
189          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
190        }
191      ]
192    }
193  ],
194  "relationships": [
195    {
196      "spdxElementId": "SPDXRef-DOCUMENT",
197      "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
198      "relationshipType": "DESCRIBES"
199    },
200    {
201      "spdxElementId": "SPDXRef-Package-simple-1.0.0",
202      "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
203      "relationshipType": "DEPENDS_ON"
204    }
205  ]
206}
207```
208
209### Package lock only mode
210
211If package-lock-only is enabled, only the information in the package
212lock (or shrinkwrap) is loaded.  This means that information from the
213package.json files of your dependencies will not be included in the
214result set (e.g. description, homepage, engines).
215
216### Configuration
217
218#### `omit`
219
220* Default: 'dev' if the `NODE_ENV` environment variable is set to
221  'production', otherwise empty.
222* Type: "dev", "optional", or "peer" (can be set multiple times)
223
224Dependency types to omit from the installation tree on disk.
225
226Note that these dependencies _are_ still resolved and added to the
227`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
228physically installed on disk.
229
230If a package type appears in both the `--include` and `--omit` lists, then
231it will be included.
232
233If the resulting omit list includes `'dev'`, then the `NODE_ENV` environment
234variable will be set to `'production'` for all lifecycle scripts.
235
236
237
238#### `package-lock-only`
239
240* Default: false
241* Type: Boolean
242
243If set to true, the current operation will only use the `package-lock.json`,
244ignoring `node_modules`.
245
246For `update` this means only the `package-lock.json` will be updated,
247instead of checking `node_modules` and downloading dependencies.
248
249For `list` this means the output will be based on the tree described by the
250`package-lock.json`, rather than the contents of `node_modules`.
251
252
253
254#### `sbom-format`
255
256* Default: null
257* Type: "cyclonedx" or "spdx"
258
259SBOM format to use when generating SBOMs.
260
261
262
263#### `sbom-type`
264
265* Default: "library"
266* Type: "library", "application", or "framework"
267
268The type of package described by the generated SBOM. For SPDX, this is the
269value for the `primaryPackagePurpose` field. For CycloneDX, this is the
270value for the `type` field.
271
272
273
274#### `workspace`
275
276* Default:
277* Type: String (can be set multiple times)
278
279Enable running a command in the context of the configured workspaces of the
280current project while filtering by running only the workspaces defined by
281this configuration option.
282
283Valid values for the `workspace` config are either:
284
285* Workspace names
286* Path to a workspace directory
287* Path to a parent workspace directory (will result in selecting all
288  workspaces within that folder)
289
290When set for the `npm init` command, this may be set to the folder of a
291workspace which does not yet exist, to create the folder and set it up as a
292brand new workspace within the project.
293
294This value is not exported to the environment for child processes.
295
296#### `workspaces`
297
298* Default: null
299* Type: null or Boolean
300
301Set to true to run the command in the context of **all** configured
302workspaces.
303
304Explicitly setting this to false will cause commands like `install` to
305ignore workspaces altogether. When not set explicitly:
306
307- Commands that operate on the `node_modules` tree (install, update, etc.)
308will link workspaces into the `node_modules` folder. - Commands that do
309other things (test, exec, publish, etc.) will operate on the root project,
310_unless_ one or more workspaces are specified in the `workspace` config.
311
312This value is not exported to the environment for child processes.
313## See Also
314
315* [package spec](/using-npm/package-spec)
316* [dependency selectors](/using-npm/dependency-selectors)
317* [package.json](/configuring-npm/package-json)
318* [workspaces](/using-npm/workspaces)
319