npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cdxgen/cdx-hbom

v0.5.0

Published

Dependency-free hardware bill of materials discovery library.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

prabhusprabhus

Keywords

hbomhardwarebomcyclonedxdarwinlinuxarm64amd64

Readme

cdx-hbom

cdx-hbom is a small, dependency-free Hardware Bill of Materials (HBOM) collector for CycloneDX BOM tools.

It currently supports following OS hosts:

  • darwin/arm64 (Apple Silicon Macs)
  • linux/amd64
  • linux/arm64

Install

npm

npm install @cdxgen/cdx-hbom

JSR

npx jsr add @cdxgen/cdx-hbom

CLI

Generate a hardware inventory for the current host:

npx @cdxgen/cdx-hbom --pretty > host-hbom.json

Common options:

  • --pretty pretty-print the JSON output
  • --dry-run block command execution and trace planned collection activity
  • --platform <value> override platform detection
  • --arch <value> override architecture detection
  • --sensitive include raw identifiers instead of redacted defaults
  • --no-command-enrichment disable optional command-based enrichment on Linux
  • --privileged enable privileged Linux enrichment and explicit non-interactive sudo -n retries for documented permission-sensitive commands that opt in (currently drm_info)
  • --plist-enrichment enable additional Darwin plist-based enrichment
  • --strict fail instead of returning partial results when enrichment fails
  • --timeout <ms> set per-command timeout

Examples:

npx @cdxgen/cdx-hbom --pretty
npx @cdxgen/cdx-hbom --privileged --pretty > linux-hbom.json
npx @cdxgen/cdx-hbom --plist-enrichment --pretty > mac-hbom.json

Library usage

import {
  collectHardware,
  createCollectorTrace,
  buildHardwareFromSources,
  getCollectorTrace,
  getCommandPlan,
} from "@cdxgen/cdx-hbom";

const trace = createCollectorTrace();

const bom = await collectHardware({
  dryRun: true,
  includePlistEnrichment: true,
  trace,
});

const collectedTrace = getCollectorTrace(bom) ?? trace;
console.log(collectedTrace.activities);

const plan = getCommandPlan({ platform: "linux", architecture: "amd64" });

// Some plan entries are templates; their final arguments are resolved per
// device or interface at runtime when live collection expands the plan.

const rebuilt = buildHardwareFromSources({
  platform: "linux",
  architecture: "amd64",
  sources: {
    osRelease: { NAME: "Ubuntu", VERSION_ID: "24.04" },
    cpuInfo: [{ processor: "0", "model name": "AMD Ryzen 7" }],
  },
});

Reading command diagnostics from the library

cdx-hbom keeps JSON output on the BOM itself and records optional command issues in the attached collector trace and BOM evidence properties.

import {
  collectHardware,
  createCollectorTrace,
  getCollectorTrace,
} from "@cdxgen/cdx-hbom";

const trace = createCollectorTrace();

const bom = await collectHardware({
  platform: "linux",
  architecture: "amd64",
  includeCommandEnrichment: true,
  includePrivilegedEnrichment: true,
  allowPartial: true,
  trace,
});

const collectedTrace = getCollectorTrace(bom) ?? trace;
const commandDiagnostics = collectedTrace.activities.filter(
  (entry) =>
    entry.kind === "command-diagnostic" || entry.kind === "command-warning",
);

for (const entry of commandDiagnostics) {
  if (entry.issue === "missing-command") {
    console.error(
      `Install hint for ${entry.command}: ${entry.hint ?? "see package docs"}`,
    );
  }

  if (entry.issue === "permission-denied") {
    console.error(
      `Privilege hint for ${entry.command}: ${entry.hint ?? "retry with --privileged"}`,
    );
  }
}

You can also read serialized command diagnostics from the BOM root by inspecting cdx:hbom:evidence:commandDiagnostic* properties.

Native enrichment currently covered

cdx-hbom uses a fixed command registry and array-based process spawning, but upstream wrappers and integrators are responsible for any stricter command allowlisting, PATH hardening, or execution policy controls around the collector process.

Dry-run and trace support

  • dryRun: true blocks command execution inside cdx-hbom itself instead of relying on a caller-side fallback.
  • getCommandPlan() exposes the static command registry, including template entries whose concrete arguments are resolved per device or interface at runtime.
  • Successful file reads and directory discovery, plus completed/blocked/failed command attempts, are recorded in the collector trace.
  • Pass trace: createCollectorTrace() to collect activity into a caller-owned ledger, or read it later via getCollectorTrace(bom).
  • The attached trace is non-enumerable, so JSON.stringify(bom) still emits a normal CycloneDX document.

Linux

  • /proc and /sys baseline discovery
  • CPU, memory, storage, PCI, USB, DRM display, audio, MMC/SDIO, and network inventory
  • hwmon, thermal zones, TPM, and NVMe controller enrichment
  • optional command enrichment via lscpu, lsblk, ip, lsmem, hostnamectl, lspci, lsusb, ethtool, cpupower, drm_info, upower, fwupdmgr, boltctl, mmcli, and edid-decode
  • command diagnostics for missing utilities, partial support, and permission-sensitive enrichments

If you want to improve Linux enrichment coverage by installing the optional host tools, see linux-troubleshooting.md.

Darwin arm64

  • system_profiler hardware, storage, display, Wi-Fi, USB, audio, camera, Bluetooth, Thunderbolt, and power data
  • networksetup hardware-port mapping
  • live ifconfig network-interface enrichment
  • optional plist enrichment via diskutil, diskutil apfs list -plist, and ioreg

Development

npm test

License

MIT