Gathering detailed insights and metrics for lockfile-lint
Gathering detailed insights and metrics for lockfile-lint
Lint an npm or yarn lockfile to analyze and detect security issues
Installations
npm install lockfile-lintDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>=16.0.0
Node Version
18.20.8
NPM Version
10.8.2
Score
92.2
Supply Chain
98.8
Quality
83.6
Maintenance
100
Vulnerability
99.6
License
Releases
15
lockfile-lint-api@5.9.2
lockfile-lint-api@5.9.2
Updated on Apr 27, 2025
lockfile-lint@4.14.1
lockfile-lint@4.14.1
Updated on Apr 27, 2025
lockfile-lint@4.14.0
lockfile-lint@4.14.0
Updated on Jun 14, 2024
lockfile-lint@4.13.2
lockfile-lint@4.13.2
Updated on Feb 21, 2024
lockfile-lint-api@5.9.1
lockfile-lint-api@5.9.1
Updated on Feb 11, 2024
lockfile-lint@4.13.1
lockfile-lint@4.13.1
Updated on Feb 11, 2024
Languages
2
JavaScript
Shell
JavaScript (99.69%)
Shell (0.31%)
Developer
lirantal
Download Statistics
Total Downloads
21,902,422
Last Day
26,935
Last Week
152,707
Last Month
679,841
Last Year
6,571,156
GitHub Statistics
Apache-2.0 License
793 Stars
283 Commits
36 Forks
9 Watchers
14 Branches
36 Contributors
Updated on May 13, 2025
Maintainers
2
Package Meta Information
Latest Version
4.14.1
Package Id
lockfile-lint@4.14.1
Unpacked Size
37.10 kB
Size
10.76 kB
File Count
7
NPM Version
10.8.2
Node Version
18.20.8
Published on
Apr 27, 2025
Total Downloads
Cumulative downloads
Total Downloads
21,902,422
Last Day
-4.5%
26,935
Compared to previous day
Last Week
1.3%
152,707
Compared to previous week
Last Month
14.5%
679,841
Compared to previous month
Last Year
50.3%
6,571,156
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
5
Dev Dependencies
19
babel-eslintbabel-plugin-syntax-async-functionsbabel-plugin-transform-regeneratorbabel-preset-envbabel-preset-es2015doccodoxdoxeslinteslint-config-standardeslint-plugin-importeslint-plugin-jesteslint-plugin-nodeeslint-plugin-promiseeslint-plugin-securityeslint-plugin-standardjestopen-cliprettier-standardsemver
lockfile-lint
A CLI to lint a lockfile for security policies
About
A CLI tool to lint a lockfile for security policies
Install
1npm install --save lockfile-lint
Usage
lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
1lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>
Supported lockfiles:
- npm's
package-lock.jsonandnpm-shrinkwrap.json - yarn's
yarn.lock
Example
An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
1DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
Example 2: specify hostnames and enforce the use of HTTPS as a protocol
1lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
--type yarnis ommitted since lockfile-lint can figure it out on it's own--allowed-hostsexplicitly set to match yarn's mirror host
Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme
1lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
--allowed-hostsexplicitly set to match github.com as a host and specifiesyarnas the alias for yarn's official mirror host--allowed-schemesis used instead ofvalidate-httpsand it explicitly allows bothhttps:andgit+https:as the HTTP Scheme for the github URL. Note that--allowed-schemesand--validate-httpsare mutually exclusive.
Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts
1lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
--allowed-hostsallows packages from yarn only--allowed-urlsoverridesallowed-hostsand allows a specific Github URL to pass validation
CLI command options
| command line argument | description | implemented |
|---|---|---|
--path, -p | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: -p '/Users/lirantal/repos/**/package-lock.json' to match multiple lockfiles | ✅ |
--type, -t | lockfile type, options are npm or yarn | ✅ |
--format, -f | sets what type of report output is desired, one of [ pretty, plain ] with plain removing colors & status symbols from output | ✅ |
--validate-https, -s | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ |
--allowed-hosts, -a | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively | ✅ |
--allowed-schemes, -o | allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:" | ✅ |
--allowed-urls, -u | allowed URLs (e.g. https://github.com/some-org/some-repo#some-hash) | ✅ |
--empty-hostname, -e | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ |
--validate-package-names, -n | validates that the resolved URL matches the package name | ✅ |
--validate-integrity, -i | validates the integrity field is a sha512 hash | ✅ |
--allowed-package-name-aliases, -l | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: string-width-cjs:string-width) | ✅ |
--integrity-exclude | exclude packages from the --validate-integrity check | ✅ |
File-Based Configuration
Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):
- A "lockfile-lint" key in your package.json file.
- A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
- A .lockfile-lintrc.js or lockfile-lint.config.js file that exports an object.
The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.
The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").
References
- This package aliasing article explains the rational for error reporting on package aliases in lockfiles.
- Why npm lockfiles can be a security blindspot for injecting malicious modules
Contributing
Please consult CONTRIBUTING for guidelines on contributing to this project.
Author
lockfile-lint © Liran Tal, Released under the Apache-2.0 License.
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:18
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 2 out of 3 npmCommand dependencies pinned
Reason
Found 5/23 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:14
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: found token with 'none' permissions: .github/workflows/release.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 15 are checked with a SAST tool
Reason
34 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx
- Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Score
4.4
/10
Last Scanned on 2025-05-05
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More