rollup-plugin-sbom

3.1.0 verified Mon Apr 27 auth: no javascript

Rollup and Vite plugin to generate Software Bill of Materials (SBOM) for your application. Current stable version is 3.1.0, released March 2026. Supports CycloneDX and SPDX formats. Key differentiators: native Vite support, virtual module filtering, and configuration via rollup or vite config. Active development with next versions adding rolldown support. Requires Node >=20.19.0.

Common errors

error ERR_REQUIRE_ESM: require() of ES Module not supported ↓

cause Using CommonJS require() on an ESM-only package.

fix

Use import syntax or dynamic import().

error Error: The SBOM plugin requires Node.js version >=20.19.0. Current version: <...> ↓

cause Node version too low.

fix

Upgrade Node to 20.19.0 or later.

error TypeError: rollupPluginSbom is not a function ↓

cause Incorrect import (maybe default vs named) or using old version without named export.

fix

Ensure import { rollupPluginSbom } from 'rollup-plugin-sbom'.

Warnings

breaking Requires Node.js >=20.19.0 ↓

fix Update to Node.js 20.19.0 or higher.

breaking ESM-only; no CommonJS support ↓

fix Use import syntax instead of require().

gotcha Virtual modules not following vite/rollup conventions are filtered out ↓

fix Ensure custom virtual modules follow naming conventions.

gotcha Dependency information can be missing; plugin logs module info for debugging ↓

fix Enable verbose logging to see which modules are missing info.

deprecated Older options like 'sbomFormat' and 'sbomOutput' removed in v3 ↓

fix Use 'format' and 'outputDir' options.

Install

npm install rollup-plugin-sbom

yarn add rollup-plugin-sbom

pnpm add rollup-plugin-sbom

Imports

rollupPluginSbom

wrong

const rollupPluginSbom = require('rollup-plugin-sbom')

correct

import { rollupPluginSbom } from 'rollup-plugin-sbom'

ESM-only package; CommonJS require not supported.

default export

wrong

import { default as rollupPluginSbom } from 'rollup-plugin-sbom'

correct

import rollupPluginSbom from 'rollup-plugin-sbom'

Named export also works; default export is the same function.

vitePluginSbom

wrong

import { vitePluginSbom } from 'rollup-plugin-sbom/vite'

correct

import { vitePluginSbom } from 'rollup-plugin-sbom'

Exported from main entry; no separate subpath.

Quickstart

Configures rollup-plugin-sbom in a Vite project to generate CycloneDX JSON and SPDX JSON SBOMs.

import { rollupPluginSbom } from 'rollup-plugin-sbom';
import { defineConfig } from 'vite';

export default defineConfig({
  plugins: [
    rollupPluginSbom({
      format: ['cyclonedx-json', 'spdx-json'],
      outputDir: './sbom',
      encoding: 'utf-8',
      includeDev: false,
      globals: {
        componentName: 'my-app',
        componentVersion: '1.0.0',
        supplier: 'Example Corp'
      }
    })
  ]
});