Gathering detailed insights and metrics for lockfile-lint-api
Gathering detailed insights and metrics for lockfile-lint-api
Lint an npm or yarn lockfile to analyze and detect security issues
Installations
npm install lockfile-lint-apiDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=16.0.0
Node Version
18.19.0
NPM Version
10.2.3
Score
86.8
Supply Chain
99.4
Quality
80
Maintenance
100
Vulnerability
100
License
Releases
13
lockfile-lint@4.14.0
lockfile-lint@4.14.0
Published on 14 Jun 2024
lockfile-lint@4.13.2
lockfile-lint@4.13.2
Published on 21 Feb 2024
lockfile-lint-api@5.9.1
lockfile-lint-api@5.9.1
Published on 11 Feb 2024
lockfile-lint@4.13.1
lockfile-lint@4.13.1
Published on 11 Feb 2024
lockfile-lint@4.13.0
lockfile-lint@4.13.0
Published on 11 Feb 2024
lockfile-lint-api@5.9.0
lockfile-lint-api@5.9.0
Published on 11 Feb 2024
Contributors
35
Unable to fetch Contributors
Languages
2
JavaScript
Shell
JavaScript (99.69%)
Shell (0.31%)
Developer
lirantal
Download Statistics
Total Downloads
19,493,344
Last Day
7,997
Last Week
160,705
Last Month
848,312
Last Year
5,885,184
GitHub Statistics
788 Stars
277 Commits
35 Forks
9 Watching
14 Branches
35 Contributors
Maintainers
2
Package Meta Information
Latest Version
5.9.1
Package Id
lockfile-lint-api@5.9.1
Unpacked Size
41.68 kB
Size
11.80 kB
File Count
13
NPM Version
10.2.3
Node Version
18.19.0
Publised On
11 Feb 2024
Total Downloads
Cumulative downloads
Total Downloads
19,493,344
Last day
-34.1%
7,997
Compared to previous day
Last week
-25.1%
160,705
Compared to previous week
Last month
22.4%
848,312
Compared to previous month
Last year
34.6%
5,885,184
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
3
Dev Dependencies
18
babel-eslintbabel-plugin-syntax-async-functionsbabel-plugin-transform-regeneratorbabel-preset-envbabel-preset-es2015doccodoxdoxeslinteslint-config-standardeslint-plugin-importeslint-plugin-jesteslint-plugin-nodeeslint-plugin-promiseeslint-plugin-securityeslint-plugin-standardjestopen-cliprettier-standard
Versions
lockfile-lint-api
Lint an npm or yarn lockfile to analyze and detect issues
About
Lints an npm or yarn lockfile to analyze and detect issues
Install
1npm install --save lockfile-lint-api
Usage
lockfile-lint-api exposes a set of validator APIs that can be used for programmatic use-cases, such as being employed by other tools and programs if needed.
Validators
The following lockfile validators are supported
| Validator API | description | implemented |
|---|---|---|
| ValidateHttps | validates the use of HTTPS as protocol schema for all resources | ✅ |
| ValidateHost | validates a whitelist of allowed hosts to be used for resources in the lockfile | ✅ |
| ValidatePackageNames | validates that the resolved URL matches the package name | ✅ |
| ValidateScheme | validates a whitelist of allowed URI schemes to be used for hosts | ✅ |
| ValidateIntegrity | validates that the integrity hash type is sha512 | ✅ |
NOTE: package entries without a resolved field (for example, those installed from the local filesystem) will automatically pass all url-based validators.
Success and failures
When validators encounter errors they will throw an exception, and on either success or failure in validating data they will always return a descriptive object for the validation task.
Successful validation
When validation is successful the following object will be returned from the validating function:
1{ 2 "type": "success", 3 "errors": [] 4}
Failed validation
When validation has failed the following object will be returned from the validating function:
1{ 2 "type": "error", 3 "errors": [ 4 { 5 "package": "@babel/cli", 6 "message": "detected invalid origin for package: @babel/cli" 7 } 8 ] 9}
Notes about the returned object:
- An errors object will always return an array of errors metadata, even if there's only one error associated with the validation being performed
- All errors should always have a message
- The availability of the
packageproperty and other metadata depends on the specific validators being used
Example
1const validator = new ValidateHost({packages: lockfile.object}) 2let result 3try { 4 result = validator.validate(['npm']) 5} catch (error) { 6 // something bad happened during validation and the validation 7 // process couldn't take place 8} 9 10console.log(result) 11/* prints 12{ 13 "type": "error", 14 "errors": [ 15 { 16 "message": "detected invalid origin for package: meow", 17 "package": "meow" 18 } 19 ] 20} 21*/
Example
1const {ValidateHost, ParseLockfile} = require('lockfile-lint-api') 2 3// path to the lockfile 4const yarnLockfilePath = '/path/to/my/yarn.lock' 5const options = { 6 lockfilePath: yarnLockfilePath 7} 8 9// instantiate a new parser with options object 10const parser = new ParseLockfile(options) 11 12// read the file synchronously and parses it 13// providing back an object that is compatible 14// with the @yarn/lockfile library which has 15// all the packages listed in `lockfile.object` 16const lockfile = parser.parseSync() 17 18// now instantiate a validator object with those 19// list of packages 20const validator = new ValidateHost({packages: lockfile.object}) 21let result 22try { 23 // validation is synchronous and is being called 24 // with 'npm' as a shortcut for the npm registry 25 // host to validate all lockfile resources are 26 // whitelisted to the npm host 27 result = validator.validate(['npm']) 28} catch (error) { 29 // couldn't process the validation 30} 31 32if (result.type === 'success') { 33 // validation succeeded 34}
Contributing
Please consult CONTRIBUTING for guidelines on contributing to this project.
Author
lockfile-lint-api © Liran Tal, Released under the Apache-2.0 License.
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:18
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 2 out of 3 npmCommand dependencies pinned
Reason
Found 4/23 approved changesets -- score normalized to 1
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:14
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: found token with 'none' permissions: .github/workflows/release.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 17 are checked with a SAST tool
Reason
32 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx
- Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Score
3.8
/10
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More