Lint an npm or yarn lockfile to analyze and detect security issues
Installations
npm install lockfile-lintDeveloper Guide
Typescript
No
Module System
N/A
Min. Node Version
>=16.0.0
Node Version
18.20.3
NPM Version
10.7.0
Score
67.6
Supply Chain
98.8
Quality
79.9
Maintenance
100
Vulnerability
99.6
License
Releases
lockfile-lint@4.14.0
Published on 14 Jun 2024
lockfile-lint@4.13.2
Published on 21 Feb 2024
lockfile-lint-api@5.9.1
Published on 11 Feb 2024
lockfile-lint@4.13.1
Published on 11 Feb 2024
lockfile-lint@4.13.0
Published on 11 Feb 2024
lockfile-lint-api@5.9.0
Published on 11 Feb 2024
Contributors
Unable to fetch Contributors
Languages
JavaScript (99.69%)
Shell (0.31%)
Developer
lirantal
Download Statistics
Total Downloads
19,403,171
Last Day
8,009
Last Week
93,034
Last Month
799,956
Last Year
5,800,905
GitHub Statistics
788 Stars
277 Commits
35 Forks
9 Watching
14 Branches
35 Contributors
Maintainers
Package Meta Information
Latest Version
4.14.0
Package Id
lockfile-lint@4.14.0
Unpacked Size
36.78 kB
Size
10.62 kB
File Count
7
NPM Version
10.7.0
Node Version
18.20.3
Publised On
14 Jun 2024
Total Downloads
Cumulative downloads
Total Downloads
19,403,171
Last day
-77.4%
8,009
Compared to previous day
Last week
-52.3%
93,034
Compared to previous week
Last month
12.1%
799,956
Compared to previous month
Last year
34.1%
5,800,905
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
5
Dev Dependencies
19
lockfile-lint
A CLI to lint a lockfile for security policies
About
A CLI tool to lint a lockfile for security policies
Install
1npm install --save lockfile-lint
Usage
lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
1lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>
Supported lockfiles:
- npm's
package-lock.jsonandnpm-shrinkwrap.json - yarn's
yarn.lock
Example
An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
1DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
Example 2: specify hostnames and enforce the use of HTTPS as a protocol
1lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
--type yarnis ommitted since lockfile-lint can figure it out on it's own--allowed-hostsexplicitly set to match yarn's mirror host
Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme
1lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
--allowed-hostsexplicitly set to match github.com as a host and specifiesyarnas the alias for yarn's official mirror host--allowed-schemesis used instead ofvalidate-httpsand it explicitly allows bothhttps:andgit+https:as the HTTP Scheme for the github URL. Note that--allowed-schemesand--validate-httpsare mutually exclusive.
Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts
1lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
--allowed-hostsallows packages from yarn only--allowed-urlsoverridesallowed-hostsand allows a specific Github URL to pass validation
CLI command options
| command line argument | description | implemented |
|---|---|---|
--path, -p | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: -p '/Users/lirantal/repos/**/package-lock.json' to match multiple lockfiles | ✅ |
--type, -t | lockfile type, options are npm or yarn | ✅ |
--format, -f | sets what type of report output is desired, one of [ pretty, plain ] with plain removing colors & status symbols from output | ✅ |
--validate-https, -s | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ |
--allowed-hosts, -a | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively | ✅ |
--allowed-schemes, -o | allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:" | ✅ |
--allowed-urls, -u | allowed URLs (e.g. https://github.com/some-org/some-repo#some-hash) | ✅ |
--empty-hostname, -e | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ |
--validate-package-names, -n | validates that the resolved URL matches the package name | ✅ |
--validate-integrity, -i | validates the integrity field is a sha512 hash | ✅ |
--allowed-package-name-aliases, -l | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: string-width-cjs:string-width) | ✅ |
--integrity-exclude | exclude packages from the --validate-integrity check | ✅ |
File-Based Configuration
Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):
- A "lockfile-lint" key in your package.json file.
- A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
- A .lockfile-lint.js or lockfile-lint.config.js file that exports an object.
- A .lockfile-lint.toml file, written in TOML (the .toml extension is required).
The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.
The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").
Contributing
Please consult CONTRIBUTING for guidelines on contributing to this project.
Author
lockfile-lint © Liran Tal, Released under the Apache-2.0 License.
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:18
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 2 out of 3 npmCommand dependencies pinned
Reason
Found 4/23 approved changesets -- score normalized to 1
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:14
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: found token with 'none' permissions: .github/workflows/release.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 17 are checked with a SAST tool
Reason
32 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx
- Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Score
3.8
/10
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More