选择命令行版本:
🌐 Synopsis
npm sbom
🌐 Description
npm sbom 命令生成一个软件物料清单(SBOM),列出当前项目的依赖。SBOM 可以以 SPDX 或 CycloneDX 格式生成。
🌐 The npm sbom command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.
🌐 Example CycloneDX SBOM
{"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json","bomFormat": "CycloneDX","specVersion": "1.5","serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730","version": 1,"metadata": {"timestamp": "2023-09-01T00:00:00.001Z","lifecycles": [{"phase": "build"}],"tools": [{"vendor": "npm","name": "cli","version": "10.1.0"}],"component": {"bom-ref": "simple@1.0.0","type": "library","name": "simple","version": "1.0.0","scope": "required","author": "John Doe","description": "simple react app","purl": "pkg:npm/simple@1.0.0","properties": [{"name": "cdx:npm:package:path","value": ""}],"externalReferences": [],"licenses": [{"license": {"id": "MIT"}}]}},"components": [{"bom-ref": "lodash@4.17.21","type": "library","name": "lodash","version": "4.17.21","scope": "required","author": "John-David Dalton","description": "Lodash modular utilities.","purl": "pkg:npm/lodash@4.17.21","properties": [{"name": "cdx:npm:package:path","value": "node_modules/lodash"}],"externalReferences": [{"type": "distribution","url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"},{"type": "vcs","url": "git+https://github.com/lodash/lodash.git"},{"type": "website","url": "https://lodash.nodejs.cn/"},{"type": "issue-tracker","url": "https://github.com/lodash/lodash/issues"}],"hashes": [{"alg": "SHA-512","content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"}],"licenses": [{"license": {"id": "MIT"}}]}],"dependencies": [{"ref": "simple@1.0.0","dependsOn": ["lodash@4.17.21"]},{"ref": "lodash@4.17.21","dependsOn": []}]}
🌐 Example SPDX SBOM
{"spdxVersion": "SPDX-2.3","dataLicense": "CC0-1.0","SPDXID": "SPDXRef-DOCUMENT","name": "simple@1.0.0","documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a","creationInfo": {"created": "2023-09-01T00:00:00.001Z","creators": ["Tool: npm/cli-10.1.0"]},"documentDescribes": ["SPDXRef-Package-simple-1.0.0"],"packages": [{"name": "simple","SPDXID": "SPDXRef-Package-simple-1.0.0","versionInfo": "1.0.0","packageFileName": "","description": "simple react app","primaryPackagePurpose": "LIBRARY","downloadLocation": "NOASSERTION","filesAnalyzed": false,"homepage": "NOASSERTION","licenseDeclared": "MIT","externalRefs": [{"referenceCategory": "PACKAGE-MANAGER","referenceType": "purl","referenceLocator": "pkg:npm/simple@1.0.0"}]},{"name": "lodash","SPDXID": "SPDXRef-Package-lodash-4.17.21","versionInfo": "4.17.21","packageFileName": "node_modules/lodash","description": "Lodash modular utilities.","downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz","filesAnalyzed": false,"homepage": "https://lodash.nodejs.cn/","licenseDeclared": "MIT","externalRefs": [{"referenceCategory": "PACKAGE-MANAGER","referenceType": "purl","referenceLocator": "pkg:npm/lodash@4.17.21"}],"checksums": [{"algorithm": "SHA512","checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"}]}],"relationships": [{"spdxElementId": "SPDXRef-DOCUMENT","relatedSpdxElement": "SPDXRef-Package-simple-1.0.0","relationshipType": "DESCRIBES"},{"spdxElementId": "SPDXRef-Package-simple-1.0.0","relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21","relationshipType": "DEPENDS_ON"}]}
🌐 Package lock only mode
如果启用 package-lock-only,则只会加载 package 锁定文件(或 shrinkwrap)中的信息。这意味着依赖的 package.json 文件中的信息将不会包含在结果集中(例如描述、主页、引擎等)。
🌐 If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded. This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).
🌐 Configuration
omitNODE_ENV 环境变量设置为 'production',则为 'dev',否则为空。要从磁盘上的安装树中省略的依赖类型。
🌐 Dependency types to omit from the installation tree on disk.
请注意,这些依赖仍然会被解析并添加到 package-lock.json 或 npm-shrinkwrap.json 文件中。它们只是没有实际安装到磁盘上。
🌐 Note that these dependencies are still resolved and added to the package-lock.json or npm-shrinkwrap.json file. They are just not physically installed on disk.
如果某种封装类型同时出现在 --include 和 --omit 列表中,那么它将被包括在内。
🌐 If a package type appears in both the --include and --omit lists, then it will be included.
如果生成的省略列表包含 'dev',那么所有生命周期脚本的 NODE_ENV 环境变量将被设置为 'production'。
🌐 If the resulting omit list includes 'dev', then the NODE_ENV environment variable will be set to 'production' for all lifecycle scripts.
package-lock-only如果设置为 true,当前操作将只使用 package-lock.json,忽略 node_modules。
🌐 If set to true, the current operation will only use the package-lock.json, ignoring node_modules.
对于 update,这意味着只会更新 package-lock.json,而不会检查 node_modules 或下载依赖。
🌐 For update this means only the package-lock.json will be updated, instead of checking node_modules and downloading dependencies.
对于 list,这意味着输出将基于 package-lock.json 描述的树,而不是 node_modules 的内容。
🌐 For list this means the output will be based on the tree described by the package-lock.json, rather than the contents of node_modules.
sbom-format生成 SBOM 时使用的 SBOM 格式。
🌐 SBOM format to use when generating SBOMs.
sbom-type由生成的 SBOM 描述的软件包类型。对于 SPDX,这是 primaryPackagePurpose 字段的值。对于 CycloneDX,这是 type 字段的值。
🌐 The type of package described by the generated SBOM. For SPDX, this is the value for the primaryPackagePurpose field. For CycloneDX, this is the value for the type field.
workspace启用在当前项目的已配置工作区的上下文中运行命令,同时通过仅运行此配置选项定义的工作区进行过滤。
🌐 Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option.
workspace 配置的有效值为以下之一:
🌐 Valid values for the workspace config are either:
对于 npm init 命令设置时,可以将其设置为一个尚不存在的工作区文件夹,以创建该文件夹并将其作为项目内全新的工作区进行设置。
🌐 When set for the npm init command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project.
此值不会导出到子进程的环境中。
🌐 This value is not exported to the environment for child processes.
workspaces设置为 true 以在 所有 配置的工作区上下文中运行命令。
🌐 Set to true to run the command in the context of all configured workspaces.
将此显式设置为 false 会导致像 install 这样的命令完全忽略工作区。如果不显式设置:
🌐 Explicitly setting this to false will cause commands like install to ignore workspaces altogether. When not set explicitly:
node_modules 树操作的命令(安装、更新等)会将工作区链接到 node_modules 文件夹。- 执行其他操作的命令(测试、执行、发布等)会在根项目上运行,除非 在 workspace 配置中指定了一个或多个工作区。此值不会导出到子进程的环境中。
🌐 This value is not exported to the environment for child processes.
🌐 See Also