Gathering detailed insights and metrics for lockfile-lint-api
Gathering detailed insights and metrics for lockfile-lint-api
Lint an npm or yarn lockfile to analyze and detect security issues
Installations
npm install lockfile-lint-apiDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=16.0.0
Node Version
18.20.8
NPM Version
10.8.2
Releases
15
lockfile-lint-api@5.9.2
lockfile-lint-api@5.9.2
Updated on Apr 27, 2025
lockfile-lint@4.14.1
lockfile-lint@4.14.1
Updated on Apr 27, 2025
lockfile-lint@4.14.0
lockfile-lint@4.14.0
Updated on Jun 14, 2024
lockfile-lint@4.13.2
lockfile-lint@4.13.2
Updated on Feb 21, 2024
lockfile-lint-api@5.9.1
lockfile-lint-api@5.9.1
Updated on Feb 11, 2024
lockfile-lint@4.13.1
lockfile-lint@4.13.1
Updated on Feb 11, 2024
Languages
2
JavaScript
Shell
JavaScript (99.69%)
Shell (0.31%)
Developer
lirantal
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
807 Stars
283 Commits
36 Forks
9 Watchers
14 Branches
36 Contributors
Updated on Jun 27, 2025
Maintainers
2
Package Meta Information
Latest Version
5.9.2
Package Id
lockfile-lint-api@5.9.2
Unpacked Size
41.68 kB
Size
11.80 kB
File Count
13
NPM Version
10.8.2
Node Version
18.20.8
Published on
Apr 27, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
3
Dev Dependencies
18
babel-eslintbabel-plugin-syntax-async-functionsbabel-plugin-transform-regeneratorbabel-preset-envbabel-preset-es2015doccodoxdoxeslinteslint-config-standardeslint-plugin-importeslint-plugin-jesteslint-plugin-nodeeslint-plugin-promiseeslint-plugin-securityeslint-plugin-standardjestopen-cliprettier-standard
lockfile-lint-api
Lint an npm or yarn lockfile to analyze and detect issues
About
Lints an npm or yarn lockfile to analyze and detect issues
Install
1npm install --save lockfile-lint-api
Usage
lockfile-lint-api exposes a set of validator APIs that can be used for programmatic use-cases, such as being employed by other tools and programs if needed.
Validators
The following lockfile validators are supported
| Validator API | description | implemented |
|---|---|---|
| ValidateHttps | validates the use of HTTPS as protocol schema for all resources | ✅ |
| ValidateHost | validates a whitelist of allowed hosts to be used for resources in the lockfile | ✅ |
| ValidatePackageNames | validates that the resolved URL matches the package name | ✅ |
| ValidateScheme | validates a whitelist of allowed URI schemes to be used for hosts | ✅ |
| ValidateIntegrity | validates that the integrity hash type is sha512 | ✅ |
NOTE: package entries without a resolved field (for example, those installed from the local filesystem) will automatically pass all url-based validators.
Success and failures
When validators encounter errors they will throw an exception, and on either success or failure in validating data they will always return a descriptive object for the validation task.
Successful validation
When validation is successful the following object will be returned from the validating function:
1{ 2 "type": "success", 3 "errors": [] 4}
Failed validation
When validation has failed the following object will be returned from the validating function:
1{ 2 "type": "error", 3 "errors": [ 4 { 5 "package": "@babel/cli", 6 "message": "detected invalid origin for package: @babel/cli" 7 } 8 ] 9}
Notes about the returned object:
- An errors object will always return an array of errors metadata, even if there's only one error associated with the validation being performed
- All errors should always have a message
- The availability of the
packageproperty and other metadata depends on the specific validators being used
Example
1const validator = new ValidateHost({packages: lockfile.object}) 2let result 3try { 4 result = validator.validate(['npm']) 5} catch (error) { 6 // something bad happened during validation and the validation 7 // process couldn't take place 8} 9 10console.log(result) 11/* prints 12{ 13 "type": "error", 14 "errors": [ 15 { 16 "message": "detected invalid origin for package: meow", 17 "package": "meow" 18 } 19 ] 20} 21*/
Example
1const {ValidateHost, ParseLockfile} = require('lockfile-lint-api') 2 3// path to the lockfile 4const yarnLockfilePath = '/path/to/my/yarn.lock' 5const options = { 6 lockfilePath: yarnLockfilePath 7} 8 9// instantiate a new parser with options object 10const parser = new ParseLockfile(options) 11 12// read the file synchronously and parses it 13// providing back an object that is compatible 14// with the @yarn/lockfile library which has 15// all the packages listed in `lockfile.object` 16const lockfile = parser.parseSync() 17 18// now instantiate a validator object with those 19// list of packages 20const validator = new ValidateHost({packages: lockfile.object}) 21let result 22try { 23 // validation is synchronous and is being called 24 // with 'npm' as a shortcut for the npm registry 25 // host to validate all lockfile resources are 26 // whitelisted to the npm host 27 result = validator.validate(['npm']) 28} catch (error) { 29 // couldn't process the validation 30} 31 32if (result.type === 'success') { 33 // validation succeeded 34}
Contributing
Please consult CONTRIBUTING for guidelines on contributing to this project.
Author
lockfile-lint-api © Liran Tal, Released under the Apache-2.0 License.
Moderate
8.3/10
Summary
lockfile-lint-api Vulnerable to Incorrect Behavior Order
Affected Versions
< 5.9.2
Patched Versions
5.9.2
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/lirantal/lockfile-lint/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:18
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 2 out of 3 npmCommand dependencies pinned
Reason
Found 5/23 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:14
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: found token with 'none' permissions: .github/workflows/release.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 15 are checked with a SAST tool
Reason
36 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx
- Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
- Warn: Project is vulnerable to: GHSA-7cfr-5cjf-32p4
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Score
4.4
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More