Submit an NPM Package
Submit an NPM package from npmjs.com for RepoRisk to analyze for security vulnerabilities and code quality issues.
Overview
In addition to Git repositories and browser extensions, RepoRisk can analyze NPM packages directly from the npmjs.com registry. The platform downloads the package tarball from the registry and analyzes its contents just like any other submission.
Submitting an NPM Package
Step 1: Navigate to the Submit Page
- Log in to your RepoRisk account at https://app.canirunthat.com
- Click the Submit Repository button in the top navigation bar
Step 2: Enter the NPM Package URL
- On the Submit by URL tab, paste the npmjs.com URL of the package you want to analyze
- The system automatically detects that the URL is an NPM package
Supported URL formats:
| Format | Example |
|---|---|
| Package (latest version) | https://www.npmjs.com/package/lodash |
| Scoped package | https://www.npmjs.com/package/@babel/core |
| Specific version | https://www.npmjs.com/package/lodash/v/4.17.21 |
| Scoped + version | https://www.npmjs.com/package/@babel/core/v/7.24.0 |
Step 3: Start Analysis
- Once the NPM package URL is detected, you'll see a badge confirming the package type
- Click "Start Analysis" to submit the package
What Happens After Submission
After submission, the platform:
- Resolves the package — Looks up the package on the npm registry and determines the version to analyze (latest if not specified)
- Downloads the tarball — Securely downloads the package tarball from
registry.npmjs.org - Extracts and analyzes — Extracts the package contents and analyzes each file for security vulnerabilities
You'll be taken to a status page showing the analysis progress, just like for repository and extension submissions.
Processing Time:
- The system uses batch processing with Anthropic for cost efficiency
- Processing can technically take up to 24 hours
- In most cases, analysis completes within a few minutes
Once complete, you'll be able to access the full report.
Viewing Your Report
To view your NPM package analysis report:
- From the Dashboard, find the package in your repository list (it will be identified as an NPM package)
- Click on it to view the full security report
The report includes the same categories, severity levels, and findings as repository and extension reports.
Other Submission Methods
RepoRisk supports three types of submissions through the same Submit by URL field:
- Git Repositories — Submit a Git repository URL (GitHub, GitLab, Bitbucket, etc.)
- Browser Extensions — Submit a webstore URL or upload an extension file
- NPM Packages — Submit an npmjs.com package URL (this page)
The submission type is detected automatically based on the URL you provide.
Troubleshooting
Common Issues
"Invalid npmjs.com package URL"
- Ensure the URL follows one of the supported formats listed above
- The URL must be from
npmjs.com(e.g.,https://www.npmjs.com/package/package-name)
"Package not found"
- Verify the package name is correct and publicly available on npmjs.com
- If specifying a version, confirm that version exists
"NPM registry unavailable"
- The npm registry may be temporarily unavailable — try again in a few minutes
"User must belong to an organization"
- NPM package submissions require your account to be associated with an organization
For additional help, contact support at Support.