Getting Started

NCM Overview

NodeSource Certified Modules

NodeSource Certified Modules provides a screen that provides an additional layer of safety to your use of third-party Node.js packages. Using a series of tests, we score every single package on npm to look for a number of weighted criteria. With the npm cli tool configured to use your Certified Modules registry, npm install will refuse to install any third-party package that does not meet the bar.

Overriding Certification Scores

You may occasionally come across a package that fails criteria but you don't yet have a work-around or alternate to use. Our whitelist tool can be used to override the certification screen and allow installation of any package.

Our suggestion is when you are forced to whitelist a package, you follow one of these paths to resolution versus keeping it indefinitely on the whitelist:

  1. Find an alternate that passes certification
  2. PR or work with the package author to attempt to improve the certification score
  3. Rewrite the functionality you need internally

NodeSource Platform

NodeSource Certified Modules access is set up and authenticated through the NodeSource Platform. The Platform provides a simple search interface for the certification scores for packages, user settings, and access to billing and subscription information.

How it Works

NodeSource Certified Modules works by putting a private registry between your code and the public npm registry. You connect to the private registry for all your package installation needs. The private repository is automatically updated with the recent changes to the public registry and it will prevent any package that do not meet the certification criteria from installing, ensuring you have a safe environment. If a module has failed to meet our certification criteria but you've reviewed it and are willing to allow it to be installed, you may override the certification screen by adding it to your whitelist.

Quick Start Guide

NodeSource Certified Modules is currently a server-side solution and works with the existing npm client.


To install npm packages from NCM, just follow these steps:

Create an account in the NodeSource Platform

Open a browser and navigate to the NodeSource Platform. Next, create an account with your email address or by connecting to an existing GitHub or Google account.

Install the nscm command-line tool.

$ npm -g install nscm

Log into NodeSource Certified Modules at the command-line.

$ nscm signin

If you created your account with Github or Google as your identity provider, use:

$ nscm signin --github or $ nscm signin --google

See setup for more information on signing in.

You should now be set up to install packages via your normal npm workflow.

See Whitelisting Packages for more information about the nscm tool.

Configuring npm

Logging in with nscm

NodeSource Certified Modules provides a signin command from the nscm tool to authenticate with your registry. It will automatically set your local .npmrc registry URL to set up workspace-specific authentication.

  • $ nscm signin
  • $ nscm signin --github
  • $ nscm signin --google

If you created your account with an email and password, run the command without the --github or --google flags and follow the prompts to log in. If you created your account using Single Sign-On provided by Google or Github, use the appropriate flag. This will open a browser window allowing you to sign in with your identity provider. Once signed in you will see an authentication code; copy the provided code and paste it into the prompt at the command-line.

"Authentication Code"

You should now be authenticated in this project location for your NodeSource Certified Modules registry. You can repeat this process in each project you wish to use with NodeSource Certified Modules to configure each registry.

After you've logged in, you can use the following command to see what email address you are logged in with:

$ npm whoami

Signing out with nscm

To sign out, use the nscm signout command.

$ nscm signout

This will remove login token from your npm configuration information, but it will not change your registry URL configuration.

More information on npm configuration

For reference, here are links to npm's documentation on configuration:

NodeSource Certification Score

The NodeSource Certification Process is an extensive suite of tests based on attributes that are valuable to customers. We are attempting to capture the best signals that determine the quality, security and overall health of any given package in the npm ecosystem.

We expect the calculation of this score to change over time as we incorporate feedback about additional signals that are important to professional users of Node.js.

Scoring Criteria

The current scoring criteria used are:

  • Package has a README file
  • Package's source code is in public source control
  • Package and its dependency tree are open-source licensed with any of: Apache, BSD, ISC, or MIT
  • Disk usage after npm install is < 25 MB
  • There are no known security vulnerabilities in the package or its dependency tree

Whitelisting Packages

nscm is a simple utility to whitelist non-certified packages and can be used to generate a report of matching certified packages in a specified private registry.


You can install it from npm by running:

$ npm install --registry= -g nscm


This tool is meant to be used in the root folder of an application where the package.json file exists.

Usage: nscm [command] [options]


    config, c     Configure nscm options
    help          Display help
    report, r     Get a report of your packages
    whitelist, w  Whitelist your packages


    -c, --concurrency <n>  Concurrency of requests (defaults to 15)
    -h, --help             Output usage information
    -j, --json             Formats the report in JSON (disabled by default)
    -p, --production       Only check production (disabled by default)
    -r, --registry         Certified modules registry (defaults to "")
    -t, --token            Token for registry authentication (defaults to "")
    -v, --version          Output the version number

nscm report (default)

Returns a report of matching certified packages and their certification scores.

$ nscm report
please wait while we process the information
│ Package                            │ Version       │ Score  │
│ body-parser                        │ 1.15.2        │ 100    │
│ debug                              │ 2.2.0         │ 70     │
│ ms                                 │ 0.7.1         │ 100    │
│ bytes                              │ 2.4.0         │ 100    │
│ content-type                       │ 1.0.2         │ 100    │
│ depd                               │ 1.1.0         │ 100    │
│ http-errors                        │ 1.5.1         │ 100    │
│ inherits                           │ 2.0.3         │ 100    │

You can also pass --json to return the report in JSON format or --production to return only dependencies and not devDependencies.

$ nscm report --production --json
please wait while we process the information
    "name": "body-parser",
    "version": "1.15.2",
    "from": "body-parser@>=1.15.2 <1.16.0",
    "score": 100
    "name": "debug",
    "version": "2.2.0",
    "from": "debug@>=2.2.0 <2.3.0",
    "score": 70
    "name": "ms",
    "version": "0.7.1",
    "from": "ms@0.7.1",
    "score": 100
    "name": "bytes",
    "version": "2.4.0",
    "from": "bytes@2.4.0",
    "score": 100

nscm whitelist

Check which packages aren't certified, and start an interactive prompt to add packages to the whitelist.

$ nscm whitelist
please wait while we process the information

37 packages aren't certified, do you want to add them to the whitelist?
? add debug@2.2.0 Yes
? add setprototypeof@1.0.2 Yes
? add statuses@1.3.1 No
? add ee-first@1.1.1 No
? add unpipe@1.0.0 (ynaH) All

│ Package                            │ Version       │ Score  │
│ debug                              │ 2.2.0         │ 70     │
│ setprototypeof                     │ 1.0.2         │        │
│ source-list-map                    │ 0.1.8         │        │
│ webpack-core                       │ 0.6.9         │        │
35 packages added to the whitelist

You can also pass --all to add all the packages to the whitelist and --json to return the packages in a JSON format.

nscm whitelist add

Add a package and its dependencies to the whitelist.

$ nscm whitelist add debug@2.x

If you pass only the package name, nscm will use latest. You can also pass a semver range or a specific version. If a semver range is passed it will be resolved to the highest published version that matches the range.

nscm whitelist delete

Delete a package from the whitelist.

$ nscm whitelist delete debug

nscm whitelist list

Lists all whitelisted packages.

$ nscm whitelist list
│ Package                            │ Version       │ Score  │
│ acorn                              │ 4.0.1         │        │
│ isarray                            │ 2.0.1         │        │
2 packages in the whitelist

nscm whitelist reset

Removes all packages from the whitelist. This does not remove packages from the project directory.

nscm config

Configuration Options

  • token - Authentication Token. If not specified, it will be fetched from ~/.npmrc - required
  • registry - Private NodeSource Certified Modules registry URL. If not specified, it will be fetched from ~/.npmrc - required
  • concurrency - Concurrency of requests to package registry - default: 15

nscm config set <key> <value>

Modify the specified configuration option.

$ nscm config set concurrency 10

nscm config get

Displays a configuration key's value.

$ nscm config get registry

nscm config delete

Deletes a configuration option.

$ nscm config delete token

nscm config list

List all configuration options.

$ nscm config list
concurrency = 15
registry = https://{registryId}

User Management

Signing in to your account

You can sign in with the email address associated with your account, and your password.

  1. Go to
  2. Enter your NodeSource Account email address and password.
  3. Click SIGN IN.

Single User

NodeSource Certified Modules is accessible by one set of credentials per account. You'll use the same email address and password you use to sign into NodeSource Platform to log into your registry using the npm command line utility.

Changing Your Password

If you want to change your account password, proceed with the steps below.

  1. Go to Settings > Profile & Password.

  2. In the PASSWORD section, click CHANGE PASSWORD.

    "Change Password"
  3. Type your old password as indicated and click NEXT.

  4. Type the new password and click SAVE.


Subscription & Billing

NodeSource Certified Modules is a subscription-based service. Use our 14-day free trial to get started, and subscribe to one of our easy affordable plans to get continuing access to secure, trusted, and reliable Node.js modules.

Subscription Plans

Plan Description
Team Drop-in replacement for your registry
8x5 product support
NodeSource-hosted registry
Enterprise Privately host your registry
24x7 product support
Multiple registries and custom solutions

Please contact us for an Enterprise subscription.

How to Subscribe

Now that you’re ready to subscribe, choose the plan that best suits your needs, and subscribe.

  1. Log in to your NodeSource account.
  2. Go to Settings > Subscription & Billing.

  3. In the Subscription section, select your desired plan. "Subscription Plans"
  4. Manage Subscription dialog will pop up. Fill out the form, and submit. "Thanks"

How to Renew your Subscription

If you want to renew the current subscription, click CHANGE.

"Application List"

Then Manage Subscription dialog will pop up. To save changes, click SAVE CHANGES button. "Save Changes"