npm Enterprise Add-Ons

Add-ons allow third-party developer tools to integrate directly into npm Enterprise. This gives npm Enterprise powerful functionality, such as: vulnerability scanning, license auditing, and code quality analysis.

Installing Add-Ons

Add-ons are installed via the npme admin tool on your Enterprise server:

  1. SSH into your npme appliance.
  2. Run npme addon <add-on-identifier>.
  3. third-parties may require an additional step, such as verifying your email address.

That's all there is to it! Visit any package page in your npm Enterprise website:

npm Enterprise Add-Ons

Add-Ons Currently Available

Node Security

The Node Security team audits modules that Enterprises depend on and then surface security information in the Node Security Platform. For years, the nsp tool has been a pivotal source of intelligence on vulnerabilities in Node dependencies.

The npm Enterprise Node Security add-on provides this information in the sidebar of the module detail page. By clicking the sidebar, a user receives a more detailed description of the vulnerability.

Node Security


  • Homepage:
  • Installation: npme addon http://{fossa_host}/api/services/npm

FOSSA’s Licenses add-on proactively assesses both public and proprietary packages in npmE registries to identify licensing issues and obligations. npmE users will be able to view an at-a-glance summary of a package’s licensing impact online before deciding to download and integrate it into their products.

FOSSA runs as an appliance securely behind your firewall, contact [email protected] to get started with this add-on.



Once the bitHound add-on is activated (via email post-installation), you will start seeing bitHound package metrics and insights. This will show up on the right hand side where you're already used to seeing npm provided information.

This information provides valuable insight into the health of any open-source dependencies your company is building on top of.


Writing Your Own Add-On

Would you like to write an npm Enterprise add-on? send an email to [email protected].

npm Enterprise add-ons consist of two parts: a manifest that provides meta-information about an add-on, and a server that gets web-hooks posted to it from the npm Enterprise appliance.

The Manifest

The manifest contains the following fields:

  • type: What type of add-on is this (currently badge plus is the only option).
  • email: An email address of the add-on maintainer.
  • name: a human-readable name for the add-on.
  • homepage: A homepage URL for the add-on.
  • description: A brief description of the add-on.
  • callback: A callback to invoke during add-on installation.
  • webhook: A webhook to invoke with package.json, as package pages are visited by users.

bitHound's manifest:

   "type": "badge plus",
   "email": "[email protected]",
   "name": "Package Metrics",
   "homepage": "",
   "description": "Package Metrics powered by bitHound",
   "callback": "",
   "webhook": ""

The manifest should be available on a public URL, and is installed via:

 npme addon https://manifest-url

The Server

The server component listens for events posted to the webhook and callback URL described in the manifest.

The callback URL receives access_token and email, the access_token is used to sign future webhooks, using a signing scheme outlined here.

The webhook URL is posted a signed payload, representing the package page that a user is viewing. A webhook returns a payload representing the UI elements that should be rendered on the package page.

sample response:

     "rows": [
       "image": {
       "text": "",
       "url": "http://localhost:8081/static/images/tonicdev.ico"
     "link": {
        "url": "",
        "text": "test nyc in the browser"

Two sample servers are available as a point of reference:

Displays a list of the top npm users contributing to a package, based on their download counts.

Experiment with an npm module using Tonic.

results matching ""

    No results matching ""