npmpackage.info

Gathering detailed insights and metrics for lockfile-lint

Other packages similar to lockfile-lint

lockfile-lint-api

5.9.2

Lint an npm or yarn lockfile to analyze and detect issues

@types/lockfile-lint-api

5.1.5

TypeScript definitions for lockfile-lint-api

package-lock-version

1.0.3

Check and assert the package-lock.json version

@teamteanpm2024/cupiditate-voluptas-perspiciatis

0.0.1-security.0

security holding package

Gathering detailed insights and metrics for lockfile-lint

lockfile-lint - 4.14.1 | npmpackage.info

lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues

4.14.1

798

Apache-2.0

JavaScript

37.10 kB

22,307,661 4.5

Installations

npm install lockfile-lint

Developer Guide

BETA

Typescript

No

Module System

N/A

Min. Node Version

>=16.0.0

Node Version

18.20.8

NPM Version

10.8.2 Score

92.2

Supply Chain

98.8

Quality

81.2

Maintenance

100

Vulnerability

99.6

License

Pull Requests

Open

0

Total

127

Closed

14

Merged

113

Issues

Open

3

Total

79

Closed

76

Releases

lockfile-lint-api@5.9.2

Updated on Apr 27, 2025

lockfile-lint@4.14.1

Updated on Apr 27, 2025

lockfile-lint@4.14.0

Updated on Jun 14, 2024

lockfile-lint@4.13.2

Updated on Feb 21, 2024

lockfile-lint-api@5.9.1

Updated on Feb 11, 2024

lockfile-lint@4.13.1

Updated on Feb 11, 2024

View All 15 releases

Languages

JavaScript

Shell

JavaScript (99.69%)

Shell (0.31%)

Developer

lirantal

Download Statistics

Total Downloads

22,307,661

Last Day

12,554

Last Week

164,702

Last Month

688,485

Last Year

6,769,980

GitHub Statistics

Apache-2.0 License

798 Stars

283 Commits

36 Forks

9 Watchers

14 Branches

36 Contributors

Updated on May 29, 2025

Maintainers

View All 36 Contributors

Package Meta Information

Latest Version

4.14.1

Package Id

lockfile-lint@4.14.1

Unpacked Size

37.10 kB

Size

10.76 kB

File Count

NPM Version

10.8.2

Node Version

18.20.8

Published on

Apr 27, 2025

Total Downloads

Cumulative downloads

Total Downloads

22,307,661

Last Day

-10.7%

12,554

Compared to previous day

Last Week

-8%

164,702

Compared to previous week

Last Month

-1.8%

688,485

Compared to previous month

Last Year

54.9%

6,769,980

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

lockfile-lint

A CLI to lint a lockfile for security policies

About

A CLI tool to lint a lockfile for security policies

Install

1npm install --save lockfile-lint

Usage

lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

1lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>

Supported lockfiles:

npm's package-lock.json and npm-shrinkwrap.json
yarn's yarn.lock

Example

An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

1DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

Example 2: specify hostnames and enforce the use of HTTPS as a protocol

1lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https

--type yarn is ommitted since lockfile-lint can figure it out on it's own
--allowed-hosts explicitly set to match yarn's mirror host

Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme

1lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"

--allowed-hosts explicitly set to match github.com as a host and specifies yarn as the alias for yarn's official mirror host
--allowed-schemes is used instead of validate-https and it explicitly allows both https: and git+https: as the HTTP Scheme for the github URL. Note that --allowed-schemes and --validate-https are mutually exclusive.

Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts

1lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2

--allowed-hosts allows packages from yarn only
--allowed-urls overrides allowed-hosts and allows a specific Github URL to pass validation

CLI command options

command line argument	description	implemented
`--path`, `-p`	path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: `-p '/Users/lirantal/repos/**/package-lock.json'` to match multiple lockfiles	✅
`--type`, `-t`	lockfile type, options are `npm` or `yarn`	✅
`--format`, `-f`	sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output	✅
`--validate-https`, `-s`	validates the use of HTTPS as protocol schema for all resources in the lockfile	✅
`--allowed-hosts`, `-a`	validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively	✅
`--allowed-schemes`, `-o`	allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:"	✅
`--allowed-urls`, `-u`	allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`)	✅
`--empty-hostname`, `-e`	allow empty hostnames, or set to false if you wish for a stricter policy	✅
`--validate-package-names`, `-n`	validates that the resolved URL matches the package name	✅
`--validate-integrity`, `-i`	validates the integrity field is a sha512 hash	✅
`--allowed-package-name-aliases`, `-l`	allow package name aliases to be used by specifying package name and their alias as pairs (e.g: `string-width-cjs:string-width`)	✅
`--integrity-exclude`	exclude packages from the `--validate-integrity` check	✅

File-Based Configuration

Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):

A "lockfile-lint" key in your package.json file.
A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
A .lockfile-lintrc.js or lockfile-lint.config.js file that exports an object.

The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.

The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").

References

This package aliasing article explains the rational for error reporting on package aliases in lockfiles.
Why npm lockfiles can be a security blindspot for injecting malicious modules

Contributing

Please consult CONTRIBUTING for guidelines on contributing to this project.

Author

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Security-Policy

Determines if the project has published a security policy.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

6

Maintained

Determines if the project is "actively maintained".

3

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

2

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Score

4.5

/10

Last Scanned on 2025-05-26

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to lockfile-lint

Other packages similar to lockfile-lint

lockfile-lint

Installations

Developer Guide

No

N/A

>=16.0.0

18.20.8

10.8.2

Score

Pull Requests

0

127

14

113

Issues

3

79

76

Releases

Languages

Developer

lirantal

Download Statistics

GitHub Statistics

Maintainers

Package Meta Information

Total Downloads

22,307,661

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

lockfile-lint

About

Install

Usage

Example

CLI command options

File-Based Configuration

References

Contributing

Author

10

10

10

10

6

3

2

0

0

0

0

0

4.5

/10