FOSSA supports JavaScript and Node.js codebases through NPM, Yarn, and Pnpm.

ToolQuick Import ( (fossa-cli)
npmpackage.json, package-lock.jsonpackage.json, package-lock.json
Yarnyarn.lockpackage.json, yarn.lock

Quick Import (

If you use FOSSA's automated build infrastructure, FOSSA will resolve dependencies by attempting to build your codebase via npm install --production or yarn install --frozen-lockfile.

If this fails or is disabled by setting prefer_mediated_dependencies to false, FOSSA will fall back to statically analyzing and traversing your package manifests (package.json, yarn.lock, component.json, bower.json).

By default, FOSSA filters out any devDependencies entries.

Using Lockfiles or Build Scripts

If you are using FOSSA's automated builds, FOSSA will prefer the lockfiles you provide.

If you are using have build scripts that will edit your build behavior, it is recommended that you use Provided Builds.

CLI (fossa-cli)

To get started, install the latest release of fossa-cli from our GitHub releases page:

curl -H 'Cache-Control: no-cache' | bash

Once installed, run fossa analyze inside of your repo's root directory.

You can view further documentation on our implementation, as well as inspect the code directly.


You can configure authentication to enable FOSSA to fetch dependencies from authenticated registries such as private npm packages, private Artifactory instances, or npm Enterprise instances.

Private packages on

In order for FOSSA to reach privately-scoped packages on [], go to your Javascript Language Settings under Account Settings > Languages > Javascript and add your login credentials:


npm Authentication Settings

After hitting "Save", you should be able to "retry" any unreachable npm dependencies in FOSSA and begin to analyze them.


Finding Access Credentials

If you don't know your credentials, you can find them in .npmrc or ~/.npmrc after running npm login. Learn more.

Private Artifact Registries (npm Enterprise or Artifactory)


On-Prem Only

npm Enterprise and Artifactory-configured npm registires are only supported in FOSSA on-prem.

To configure authentication on-prem, your FOSSA admin must edit FOSSA's config.env file with one of two authentication methods. Check your .npmrc to see which of the two formats below you use.

Auth tokens

For newer registries or NPM Enterprise, FOSSA supports tokens for authentication. If you are using this method, you can find a line in your .npmrc formatted as //REGISTRY_URL/:_authToken=AUTH_TOKEN.

Take the AUTH_TOKEN and add the following config:


Legacy authentication

Many systems still use legacy authentication, especially if you are using a private registry like Artifactory. Look for email, _auth and username in your .npmrc.


fetchers__npm__auth__token # _auth parameter in .npmrc


After configuring, your FOSSA admin must run fossa restart.

Private Registries

If you are using a private registry like Artifactory for you NPM code, your FOSSA admin can specify a private registry URL:


Often private registries require authentication, which is covered above under Private Packages.

NPM Enterprise

See here for FOSSA's NPM Enterprise integration.