JavaScript
FOSSA supports JavaScript and Node.js codebases through NPM, Yarn, and Pnpm.
Quick Import (app.fossa.com)
If you use FOSSA's automated build infrastructure, FOSSA will resolve dependencies by attempting to build your codebase via npm install --production
or yarn install --frozen-lockfile
.
If this fails or is disabled by setting prefer_mediated_dependencies
to false
, FOSSA will fall back to statically analyzing and traversing your package manifests (package.json
, yarn.lock
, component.json
, bower.json
).
By default, FOSSA filters out any devDependencies
entries.
Using Lockfiles or Build Scripts
If you are using FOSSA's automated builds, FOSSA will prefer the lockfiles you provide.
If you are using have build scripts that will edit your build behavior, it is recommended that you use Provided Builds.
CLI (fossa-cli)
To get started, install the latest release of fossa-cli
from our GitHub releases page:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
Once installed, run fossa analyze
inside of your repo's root directory.
You can view further documentation on our implementation, as well as inspect the code directly.
Authentication
You can configure authentication to enable FOSSA to fetch dependencies from authenticated registries such as private npm
packages, private Artifactory instances, or npm Enterprise instances.
Private packages on npmjs.com
In order for FOSSA to reach privately-scoped packages on [npmjs.com], go to your Javascript Language Settings under Account Settings > Languages > Javascript and add your login credentials:
After hitting "Save", you should be able to "retry" any unreachable npm
dependencies in FOSSA and begin to analyze them.
Finding Access Credentials
If you don't know your credentials, you can find them in
.npmrc
or~/.npmrc
after runningnpm login
. Learn more.
Private Artifact Registries (npm Enterprise or Artifactory)
On-Prem Only
npm Enterprise and Artifactory-configured npm registires are only supported in FOSSA on-prem.
To configure authentication on-prem, your FOSSA admin must edit FOSSA's config.env
file with one of two authentication methods. Check your .npmrc
to see which of the two formats below you use.
Auth tokens
For newer registries or NPM Enterprise, FOSSA supports tokens for authentication. If you are using this method, you can find a line in your .npmrc
formatted as //REGISTRY_URL/:_authToken=AUTH_TOKEN
.
Take the AUTH_TOKEN
and add the following config:
fetchers__npm__auth_token=AUTH_TOKEN
Legacy authentication
Many systems still use legacy authentication, especially if you are using a private registry like Artifactory. Look for email
, _auth
and username
in your .npmrc
.
fetchers__npm__auth__email
fetchers__npm__auth__token # _auth parameter in .npmrc
fetchers__npm__auth__username
After configuring, your FOSSA admin must run fossa restart
.
Private Registries
If you are using a private registry like Artifactory for you NPM code, your FOSSA admin can specify a private registry URL:
fetchers__npm__registry=YOUR_REGISTRY_URL
Often private registries require authentication, which is covered above under Private Packages.
Updated 6 months ago