The command-line tool for NodeSource Certified Modules 2.0 β designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail β all from the command-line.
Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.
$ npm install -g ncm-cli
$ ncm <command> [options]
$ ncm help <command>
ncm-cli supports three forms of authentication (required).
Sign-in interactively using your NodeSource account email and password.
$ ncm signin
- Using a Google account:
ncm signin -G, --google - Using a GitHub account:
ncm signin -g, --github
$ NCM_TOKEN=<token> ncm <command> [options]
Learn more about obtaining NodeSource service tokens and configuring permissions here.
Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.
The directory to generate a report from may be specified via ncm report <dir>.
Defaults to using the current working directory.
$ ncm report
ββββββββββββββ
β foo Report β
ββββββββββββββ
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|β Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|β Run `ncm report --filter=compliance` for a list
! 1 used modules whitelisted
|β Run `ncm whitelist --list` for a list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β mime @ 1.3.4 β |||| Crit β β MIT β X 1L β
β superagent @ 1.8.5 β |||| Crit β β MIT β X 1M 1L β
β form-data @ 1.0.0-rc3 β |||| High β β MIT β β 0 β
β formidable @ 1.0.16 β |||| High β X UNKNOWN β β 0 β
β mime @ 1.2.11 β |||| High β X UNKNOWN β X 1L β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
A report with a list of all modules can be generated by passing --long, -l.
$ ncm report --long
ββββββββββββββ
β foo Report β
ββββββββββββββ
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|β Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|β Run `ncm report --filter=compliance` for a list
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β qs @ 6.3.1 β |||| Crit β β BSD-3-Clause β X 1H β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β mime @ 1.3.4 β |||| Crit β β MIT β X 1L β
β superagent @ 1.8.5 β |||| Crit β β MIT β X 1M 1L β
β form-data @ 1.0.0-rc3 β |||| High β β MIT β β 0 β
β formidable @ 1.0.16 β |||| High β X UNKNOWN β β 0 β
β mime @ 1.2.11 β |||| High β X UNKNOWN β X 1L β
β qs @ 2.3.3 β |||| High β β BSD-2-Clause β X 1H β
... etc ...
β mime-types @ 2.1.22 β |||| None β β MIT β β 0 β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
Reports may be filtered based on any of the following flags:
--compliance, -c- only display non-compliant packages.--security, -s- only display packages with vulnerabilities.
--json, -j- Formats the report in JSON (disabled by default)
Returns a detailed report about a specific module version.
Defaults to using the latest version as published to npm if no version is provided.
$ ncm details client-request@2.3.0
βββββββββββββββββββββββββββββββββββββββββββ
β client-request @ 2.3.0 (within ncm-cli) β
βββββββββββββββββββββββββββββββββββββββββββ
ββββββββ¬ββββββββββββ
β |||| β None Risk β
ββββββββ΄ββββββββββββ
Security Risk:
β 0 security vulnerabilities found
C 0 critical severity
H 0 high severity
M 0 medium severity
L 0 low severity
βββββ¬ββββββββββββββββββββββββββββββ
β β β No Security Vulnerabilities β
βββββ΄ββββββββββββββββββββββββββββββ
License Risk:
βββββ¬ββββββ
β β β MIT β
βββββ΄ββββββ
Module Risk:
βββββ¬βββββββββββββββββ
β β β No Module Risk β
βββββ΄βββββββββββββββββ
Code Quality (does not affect risk score):
βββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ! β This package version's size on disk is 40.0 kB. β
βββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Required By (leftmost is directly in your package):
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β (Directly in your package) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Runs and displays ncm details <module{@version}> with an interactive confirmation prompt.
If confirmed, attempts to run npm install <module{@version}> with any additional options provided.
The config keys installBin and installCmd can adjust this to work with other package installers if necessary.
For more information, see ncm config --help.
Display or modify your NodeSource organizationβs module whitelist.
Returns a list containing each module in your NodeSource organizationβs whitelist. Public modules are listed alongside their risk score, license compliance, and security summary.
$ ncm whitelist --list
ββββββββββββββββββββββββββββββββ
β personal Whitelisted Modules β
ββββββββββββββββββββββββββββββββ
2 modules total
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
ββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββ
β express @ 4.0.0 β |||| None β β MIT β X 1M β
β qs @ 6.3.1 β |||| None β β BSD-3-Clause β X 1H β
ββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββ
Add one or more modules to your NodeSource organizationβs whitelist.
Remove one or more modules from your NodeSource organizationβs whitelist.
Change your active NodeSource organization, which impacts the whitelist. Defaults to an interactive prompt.
By passing an <orgname>, the interactive part may be skipped.
Input is case sensitive.
Access to various configuration settings.
For more information, use the help command: ncm config --help
Copyright 2019 NodeSource β Contributions via DCO 1.1
Licensed under the Apache License, Version 2.0 β see the LICENSE file for details.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
