{"id":13457828,"url":"https://github.com/nodesource/nscm","last_synced_at":"2026-01-14T14:21:23.049Z","repository":{"id":57312302,"uuid":"85132971","full_name":"nodesource/nscm","owner":"nodesource","description":"The NodeSource Certified Modules command line utility","archived":true,"fork":false,"pushed_at":"2018-08-24T11:21:49.000Z","size":199,"stargazers_count":19,"open_issues_count":0,"forks_count":11,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-10-23T10:56:37.255Z","etag":null,"topics":["certified-modules","certified-packages","cli","modules","nodejs","nodesource","npm","nscm","packages","security","whitelist"],"latest_commit_sha":null,"homepage":"https://nodesource.com/products/certified-modules","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nodesource.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-15T23:59:17.000Z","updated_at":"2025-04-10T16:39:21.000Z","dependencies_parsed_at":"2022-09-17T06:00:48.576Z","dependency_job_id":null,"html_url":"https://github.com/nodesource/nscm","commit_stats":null,"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/nodesource/nscm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodesource%2Fnscm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodesource%2Fnscm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodesource%2Fnscm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodesource%2Fnscm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nodesource","download_url":"https://codeload.github.com/nodesource/nscm/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodesource%2Fnscm/sbom","scorecard":{"id":692769,"data":{"date":"2025-08-11","repo":{"name":"github.com/nodesource/nscm","commit":"73eb52a1961f0099f7328be65c1db9a0f5471c0f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 1/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T02:42:47.983Z","repository_id":57312302,"created_at":"2025-08-22T02:42:47.983Z","updated_at":"2025-08-22T02:42:47.983Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28422719,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certified-modules","certified-packages","cli","modules","nodejs","nodesource","npm","nscm","packages","security","whitelist"],"created_at":"2024-07-31T09:00:37.945Z","updated_at":"2026-01-14T14:21:23.029Z","avatar_url":"https://github.com/nodesource.png","language":"JavaScript","readme":"# nscm - the CLI Utility for [NodeSource Certified Modules](https://nodesource.com/products/certified-modules)\n\n`nscm` is a simple utility for [NodeSource Certified Modules](https://nodesource.com/products/certified-modules) that can be used to easily authenticate with your Certified Modules registry, to whitelist pacakges that fail certification, and to generate a detailed report about current project and the modules it depends on.\n\n## Installation\n\nYou can install it from `npm` by running:\n\n```\n$ npm install -g nscm\n```\n\n## Usage\n\nThis tool is meant to be used in the root folder of an application where the `package.json` file exists.\n\n```\n  Usage: nscm [command] [options]\n\n  Commands:\n\n    config, c           Configure nscm options\n    help                Display help\n    report, r           Get a report of your packages\n    signin, s, login    Sign in to nscm\n    signout, o, logout  Sign out of nscm\n    verify              Verify if all packages are certified\n    whitelist, w        Whitelist your packages\n\n  Options:\n\n    -C, --certified        Shows only certified packages\n    -c, --concurrency \u003cn\u003e  Concurrency of requests (defaults to 15)\n    -d, --dot              Formats the report in Graphiz dot (disabled by default)\n    -f, --failed           Shows only packages that failed certification (disabled by default)\n    -g, --github           Sign in using GitHub SSO (disabled by default)\n    -G, --google           Sign in using Google SSO (disabled by default)\n    -h, --help             Output usage information\n    -j, --json             Formats the report in JSON (disabled by default)\n    -o, --output           Save report to file (disabled by default)\n    -p, --production       Only check production (disabled by default)\n    -r, --registry         Certified modules registry (defaults to \"\")\n    -s, --svg              Formats the report in SVG (disabled by default)\n    -t, --token            Token for registry authentication (defaults to \"\")\n    -v, --version          Output the version number\n\n  Additional Help\n\n    Add -h to the 'config' or 'whitelist' commands for additional help concerning those commands.\n\n    nscm config -h\n    nscm whitelist -h\n```\n\n## `nscm report` (default)\n\nReturns a report of matching certified packages and their certification scores.\n\n```\n$ nscm report\nplease wait while we process the information\n┌────────────────────────────────────┬───────────────┬────────┐\n│ Package                            │ Version       │ Score  │\n├────────────────────────────────────┼───────────────┼────────┤\n│ body-parser                        │ 1.15.2        │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ debug                              │ 2.2.0         │ 70     │\n├────────────────────────────────────┼───────────────┼────────┤\n│ ms                                 │ 0.7.1         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ bytes                              │ 2.4.0         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ content-type                       │ 1.0.2         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ depd                               │ 1.1.0         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ http-errors                        │ 1.5.1         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n│ inherits                           │ 2.0.3         │ 100    │\n├────────────────────────────────────┼───────────────┼────────┤\n```\n\nYou can also pass `--json` to return the report in JSON format,\n`--svg` to return the report in SVG format, or\n`--dot` to return the report in [Graphviz][] DOT format.\nUse `--production` to return only `dependencies` and not `devDependencies` and\n`--output` to save a file (*.json* or *.svg*) for generated report.\n\nIf you want to filter the output you can use\n`--certified` to show only certified packages or\n`--failed` to show only packages that failed certification.\n\n[Graphviz]: http://www.graphviz.org/\n\n```\n$ nscm report --production --json\nplease wait while we process the information\n[\n  {\n    \"name\": \"body-parser\",\n    \"version\": \"1.15.2\",\n    \"from\": \"1.15.2 \u003c1.16.0\",\n    \"score\": 100\n  },\n  {\n    \"name\": \"debug\",\n    \"version\": \"2.2.0\",\n    \"from\": \"\u003e=2.2.0 \u003c2.3.0\",\n    \"score\": 70\n  },\n  {\n    \"name\": \"ms\",\n    \"version\": \"0.7.1\",\n    \"from\": \"0.7.1\",\n    \"score\": 100\n  },\n  {\n    \"name\": \"bytes\",\n    \"version\": \"2.4.0\",\n    \"from\": \"2.4.0\",\n    \"score\": 100\n  },\n...\n```\n\n## `nscm whitelist`\n\nCheck which packages aren't certified, and start an interactive prompt to add packages to the whitelist.\n\n```\n$ nscm whitelist\nplease wait while we process the information\n\n37 packages aren't certified, do you want to add them to the whitelist?\n? add debug@2.2.0 Yes\n? add setprototypeof@1.0.2 Yes\n? add statuses@1.3.1 No\n? add ee-first@1.1.1 No\n? add unpipe@1.0.0 (ynaH) All\n\n┌────────────────────────────────────┬───────────────┬────────┐\n│ Package                            │ Version       │ Score  │\n├────────────────────────────────────┼───────────────┼────────┤\n│ debug                              │ 2.2.0         │ 70     │\n├────────────────────────────────────┼───────────────┼────────┤\n│ setprototypeof                     │ 1.0.2         │        │\n├────────────────────────────────────┼───────────────┼────────┤\n...\n├────────────────────────────────────┼───────────────┼────────┤\n│ source-list-map                    │ 0.1.8         │        │\n├────────────────────────────────────┼───────────────┼────────┤\n│ webpack-core                       │ 0.6.9         │        │\n└────────────────────────────────────┴───────────────┴────────┘\n35 packages added to the whitelist\n```\n\nYou can also pass `--all` to add all the packages to the whitelist and `--json` to return the packages in a JSON format.\n\n### `nscm whitelist add`\n\nAdd a package and its dependencies to the whitelist.\n\n```\n$ nscm whitelist add debug@2.x\n```\n\nIf you pass only the package name, `nscm` will use `latest`.  You can also pass a semver range or a specific version. If a semver range is passed it will be resolved to the highest published version that matches the range.\n\n### `nscm whitelist delete`\n\nDelete a package from the whitelist.\n\n```\n$ nscm whitelist delete debug\n```\n\n### `nscm whitelist list`\n\nLists all whitelisted packages.\n\n```\n$ nscm whitelist list\n┌────────────────────────────────────┬───────────────┬────────┐\n│ Package                            │ Version       │ Score  │\n├────────────────────────────────────┼───────────────┼────────┤\n│ acorn                              │ 4.0.1         │        │\n├────────────────────────────────────┼───────────────┼────────┤\n│ isarray                            │ 2.0.1         │        │\n└────────────────────────────────────┴───────────────┴────────┘\n2 packages in the whitelist\n```\n### `nscm whitelist reset`\n\nRemoves all whitelisted packages.\n\n## `nscm config`\n\n### Configuration Options\n\n* `token` - Authentication Token. If not specified, it will be fetched from `~/.npmrc` - **required**\n* `registry` - Private NodeSource Certified Modules registry URL. If not specified, it will be fetched from `~/.npmrc` - **required**\n* `concurrency` - Concurrency of requests to package registry - default: 15\n\n### `nscm config set \u003ckey\u003e \u003cvalue\u003e`\n\nModify the specified configuration option.\n\n```\n$ nscm config set concurrency 10\n```\n\n### `nscm config get`\n\nGets a configuration option\n\n```\n$ nscm config get registry\nhttps://{registryId}.registry.nodesource.io\n```\n\n### `nscm config delete`\n\nDeletes a configuration option.\n\n```\n$ nscm config delete token\n```\n\n### `nscm config list`\n\nList all configuration options.\n\n```\n$ nscm config list\nconcurrency = 15\nregistry = https://{registryId}.registry.nodesource.io\n```\n\n### `nscm config reset`\n\nReset all configuration options to default values.\n\n```\n$ nscm config reset\n```\n\n## Authors and Contributors\n\n\u003ctable\u003e\u003ctbody\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eNathan White\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/nw\"\u003eGitHub/nw\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"http://twitter.com/_nw_\"\u003eTwitter/@_nw_\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eJulián Duque\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/julianduque\"\u003eGitHub/julianduque\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"http://twitter.com/julian_duque\"\u003eTwitter/@julian_duque\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eAdrián Estrada\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/edsadr\"\u003eGitHub/edsadr\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"http://twitter.com/edsadr\"\u003eTwitter/@edsadr\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eMax Harris\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/maxharris9\"\u003eGitHub/maxharris9\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"http://twitter.com/maxharris9\"\u003eTwitter/@maxharris9\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eTierney Cyren\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/bnb\"\u003eGitHub/bnb\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"http://twitter.com/bitandbang\"\u003eTwitter/@bitandbang\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003cth align=\"left\"\u003eGiovanny Gongora\u003c/th\u003e\u003ctd\u003e\u003ca href=\"https://github.com/Gioyik\"\u003eGitHub/Gioyik\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://twitter.com/Gioyik\"\u003eTwitter/@Gioyik\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n\nContributions are welcomed from anyone wanting to improve this project!\n\n## License \u0026 Copyright\n\n**nscm** is Copyright (c) 2017 NodeSource and licensed under the MIT license. All rights not explicitly granted in the MIT license are reserved. See the included [LICENSE.md](https://github.com/nodesource/nscm/blob/master/LICENSE.md) file for more details.\n","funding_links":[],"categories":["Developers"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodesource%2Fnscm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnodesource%2Fnscm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodesource%2Fnscm/lists"}