Getting Started

NCM Overview

NodeSource Certified Modules

NodeSource Certified Modules provides a screen that provides an additional layer of safety to your use of third-party Node.js packages. Using a series of tests, we score every single package on npm to look for a number of weighted criteria. With the npm cli tool configured to use your Certified Modules registry, npm install will refuse to install any third-party package that does not meet the bar.

Overriding Certification Scores

You may occasionally come across a package that fails criteria but you don't yet have a work-around or alternate to use. Our whitelist tool can be used to override the certification screen and allow installation of any package.

Our suggestion is when you are forced to whitelist a package, you follow one of these paths to resolution versus keeping it indefinitely on the whitelist:

  1. Find an alternate that passes certification
  2. PR or work with the package author to attempt to improve the certification score
  3. Rewrite the functionality you need internally

NodeSource Platform

NodeSource Certified Modules access is set up and authenticated through the NodeSource Platform. The Platform provides a simple search interface for the certification scores for packages, user settings, and access to billing and subscription information.

Quick Start Guide

NodeSource Certified Modules is currently a server-side solution and works with the existing npm client.


To install npm packages from NCM, just follow these steps:

Find your registryId at

"Registry URL"

In your terminal, run:

$ npm config set registry https://${registryId}
$ npm login
Username: example
Password: <Password>
Email: (this IS public)
Logged in with on https://${registryId}

The npm client will then add an entry to ~/.npmrc for the current registry.

More information about setting up NCM can be found here.

Resetting default registry

Switching back to the public npm registry will not require you to npm login as authentication credentials are stored per registry.

$ npm config set registry

Configuring npm

Changing your default registry


To use NodeSource Certified Modules, you'll need to point the npm command at the registry URL configured for your account. The URL is in the following form:


The registry URL is shown in the NodeSource Certified Modules web page, in the light blue box, as shown below:

"Registry URL"

You can change the default registry URL that npm uses, by using the npm config command. Most NodeSource Certified Modules users will want to use this method change their default registry URL:

$ npm config set registry https://${registryId}

For a single project

In a project that you would like to use with NodeSource Certified Modules, do the following:

  • create a new file .npmrc in the root directory of your project - the same one with your package.json file

  • in the file, add the following line, which will configure the registry location:

    registry = https://${registryId}

  • in the file, add one of the following lines, which will keep cache entries for this registry separated from cache entries from other registries:

    Windows: cache = %AppData%\npm-ncm-cache

    Mac or Linux: cache = ~/.npm-ncm

  • save the file

  • on Mac or Linux, run the following command to make the file .npmrc only readable and writable by the current userid; note that npm will only read .npmrc files with mode 0600:

    $ chmod 0600 .npmrc

The final .npmrc file will look like this:

registry = https://${registryId}
cache = ~/.npm-ncm

Once you've done this, you can then run npm commands in this directory and they will use your NodeSource Certified Modules registry instead of the default npm registry.

For a single command

You can also change your registry temporarily by using the --registry command line argument. This is a one-time configuration override that will not change your default registry.

$ npm install --registry=https://${registryId}

Removing your custom registry configuration

If you used the npm config command to change the default registry to your NodeSource Certified Modules registry, you can set the registry back to the default registry by running the following command:

$ npm config set registry

Logging in with npm

NodeSource Certified Modules uses the npm command's built-in login method to authenticate you with your registry. After changing your registry URL, execute the following command:

$ npm login

The npm command will then prompt you for a Username, Password, and Email. NodeSource Certified Modules only uses the Email and Password fields. The value you enter for Username will be ignored.

Type your email and password in when prompted. Your login token will be saved with other npm configuration information so that subsequent npm commands use this token.

Note that npm will prompt for your email with the string "Email: (this IS public)" - this string is hard-coded in the npm program; NodeSource Certified Modules will not make your email public.

After you've logged in, you can use the following command later to see what email address you are logged in with:

$ npm whoami

Logging out with npm

To log out, just use the npm command's logout command.

$ npm logout

This will remove login token from your npm configuration information, but it will not change your registry URL configuration.

More information on npm configuration

For reference, here are links to npm's documentation on configuration:

NodeSource Certification Score

The NodeSource Certification Process is an extensive suite of tests based on attributes that are valuable to customers. We are attempting to capture the best signals that determine the quality, security and overall health of any given package in the npm ecosystem.

We expect the calculation of this score to change over time as we incorporate feedback about additional signals that are important to professional users of Node.js.

Scoring Criteria

The current scoring criteria used are:

  • Package has a README file
  • Package's source code is in public source control
  • Package and its dependency tree are open-source licensed with any of: Apache, BSD, ISC, or MIT
  • Disk usage after npm install is < 25 MB
  • There are no known security vulnerabilities in the package or its dependency tree

Whitelisting Packages

nscm is a simple utility to whitelist non-certified packages and can be used to generate a report of matching certified packages in a specified private registry.


You can install it from npm by running:

$ npm install --registry= -g nscm


This tool is meant to be used in the root folder of an application where the package.json file exists.

Usage: nscm [command] [options]


    config, c     Configure nscm options
    help          Display help
    report, r     Get a report of your packages
    whitelist, w  Whitelist your packages


    -c, --concurrency <n>  Concurrency of requests (defaults to 15)
    -h, --help             Output usage information
    -j, --json             Formats the report in JSON (disabled by default)
    -p, --production       Only check production (disabled by default)
    -r, --registry         Certified modules registry (defaults to "")
    -t, --token            Token for registry authentication (defaults to "")
    -v, --version          Output the version number

nscm report (default)

Returns a report of matching certified packages and their certification scores.

$ nscm report
please wait while we process the information
│ Package                            │ Version       │ Score  │
│ body-parser                        │ 1.15.2        │ 100    │
│ debug                              │ 2.2.0         │ 70     │
│ ms                                 │ 0.7.1         │ 100    │
│ bytes                              │ 2.4.0         │ 100    │
│ content-type                       │ 1.0.2         │ 100    │
│ depd                               │ 1.1.0         │ 100    │
│ http-errors                        │ 1.5.1         │ 100    │
│ inherits                           │ 2.0.3         │ 100    │

You can also pass --json to return the report in JSON format or --production to return only dependencies and not devDependencies.

$ nscm report --production --json
please wait while we process the information
    "name": "body-parser",
    "version": "1.15.2",
    "from": "body-parser@>=1.15.2 <1.16.0",
    "score": 100
    "name": "debug",
    "version": "2.2.0",
    "from": "debug@>=2.2.0 <2.3.0",
    "score": 70
    "name": "ms",
    "version": "0.7.1",
    "from": "ms@0.7.1",
    "score": 100
    "name": "bytes",
    "version": "2.4.0",
    "from": "bytes@2.4.0",
    "score": 100

nscm whitelist

Check which packages aren't certified, and start an interactive prompt to add packages to the whitelist.

$ nscm whitelist
please wait while we process the information

37 packages aren't certified, do you want to add them to the whitelist?
? add debug@2.2.0 Yes
? add setprototypeof@1.0.2 Yes
? add statuses@1.3.1 No
? add ee-first@1.1.1 No
? add unpipe@1.0.0 (ynaH) All

│ Package                            │ Version       │ Score  │
│ debug                              │ 2.2.0         │ 70     │
│ setprototypeof                     │ 1.0.2         │        │
│ source-list-map                    │ 0.1.8         │        │
│ webpack-core                       │ 0.6.9         │        │
35 packages added to the whitelist

You can also pass --all to add all the packages to the whitelist and --json to return the packages in a JSON format.

nscm whitelist add

Add a package and its dependencies to the whitelist.

$ nscm whitelist add debug@2.x

If you pass only the package name, nscm will use latest. You can also pass a semver range or a specific version. If a semver range is passed it will be resolved to the highest published version that matches the range.

nscm whitelist delete

Delete a package from the whitelist.

$ nscm whitelist delete debug

nscm whitelist list

Lists all whitelisted packages.

$ nscm whitelist list
│ Package                            │ Version       │ Score  │
│ acorn                              │ 4.0.1         │        │
│ isarray                            │ 2.0.1         │        │
2 packages in the whitelist

nscm whitelist reset

Removes all packages from the whitelist. This does not remove packages from the project directory.

nscm config

Configuration Options

  • token - Authentication Token. If not specified, it will be fetched from ~/.npmrc - required
  • registry - Private NodeSource Certified Modules registry URL. If not specified, it will be fetched from ~/.npmrc - required
  • concurrency - Concurrency of requests to package registry - default: 15

nscm config set <key> <value>

Modify the specified configuration option.

$ nscm config set concurrency 10

nscm config get

Displays a configuration key's value.

$ nscm config get registry

nscm config delete

Deletes a configuration option.

$ nscm config delete token

nscm config list

List all configuration options.

$ nscm config list
concurrency = 15
registry = https://{registryId}

User Management

Signing in to your account

You can sign in with the email address associated with your account, and your password.

  1. Go to
  2. Enter your NodeSource Account email address and password.
  3. Click SIGN IN.

Single User

NodeSource Certified Modules is accessible by one set of credentials per account. You'll use the same email address and password you use to sign into NodeSource Platform to log into your registry using the npm command line utility.

Changing Your Password

If you want to change your account password, proceed with the steps below.

  1. Go to Settings > Profile & Password.

  2. In the PASSWORD section, click CHANGE PASSWORD.

    "Change Password"
  3. Type your old password as indicated and click NEXT.

  4. Type the new password and click SAVE.


Subscription & Billing

NodeSource Certified Modules is a subscription-based service. Use our 14-day free trial to get started, and subscribe to one of our easy affordable plans to get continuing access to secure, trusted, and reliable Node.js modules.

Subscription Plans

Plan Description
Team Drop-in replacement for your registry
8x5 product support
NodeSource-hosted registry
Enterprise Privately host your registry
24x7 product support
Multiple registries and custom solutions

Please contact us for an Enterprise subscription.

How to Subscribe

Now that you’re ready to subscribe, choose the plan that best suits your needs, and subscribe.

  1. Log in to your NodeSource account.
  2. Go to Settings > Subscription & Billing.

  3. In the Subscription section, select your desired plan. "Subscription Plans"
  4. Manage Subscription dialog will pop up. Fill out the form, and submit. "Thanks"

How to Renew your Subscription

If you want to renew the current subscription, click CHANGE.

"Application List"

Then Manage Subscription dialog will pop up. To save changes, click SAVE CHANGES button. "Save Changes"