Shared lockfile-lint configuration helper for Amedia projects. Mirrors the @amedia/eslint-config pattern: ship a tiny lockfile-lint.config.js that calls a factory and gets sensible defaults plus the ability to extend.

Install

npm install --save-dev @amedia/lockfile-lint-config

Use

// lockfile-lint.config.js
import { lockfileLintConfig } from '@amedia/lockfile-lint-config';

export default lockfileLintConfig();

The runner @amedia/kragl-lockfile-lint discovers this file via cosmiconfig and merges it through lockfileLintConfig() before invoking lockfile-lint. The same merge applies regardless of config format — JS, JSON, YAML, rc, or a "lockfile-lint" key in package.json all compose with the defaults the same way:

// .lockfile-lintrc.json — equivalent to the JS example below
{
  "allowed-package-name-aliases": ["my-pkg-cjs:my-pkg"],
}

// lockfile-lint.config.js — equivalent to the JSON example above
import { lockfileLintConfig } from '@amedia/lockfile-lint-config';
export default lockfileLintConfig({
  'allowed-package-name-aliases': ['my-pkg-cjs:my-pkg'],
});

Static configs (JSON/YAML/rc) cannot call the helper themselves, but the runner applies the same merge logic on their behalf, so the defaults are never silently dropped.

Extending the defaults

lockfileLintConfig(overrides) merges your overrides on top of the defaults. The merge strategy is per-key:

Array-valued options (allowed-hosts, allowed-schemes, allowed-urls, allowed-package-name-aliases, integrity-exclude) — concatenated with the defaults and deduplicated. You add to the list; you cannot remove from it. If the default value is an array and the override is also an array, the result is [...defaults, ...overrides] (uniq, order preserved).
Scalar options (type, validate-package-names, validate-integrity, validate-https, empty-hostname, format, path) — replaced outright by your override. Pass 'validate-package-names': false to turn the check off entirely, etc.
Keys not present in the defaults — passed through as-is.

import { lockfileLintConfig } from '@amedia/lockfile-lint-config';

export default lockfileLintConfig({
  // adds to the default trio of cliui aliases
  'allowed-package-name-aliases': ['my-pkg-cjs:my-pkg'],
  // extends ['npm'] → ['npm', 'internal-registry']
  'allowed-hosts': ['internal-registry'],
  // replaces the default `true`
  'validate-package-names': false,
});

If you need to drop one of the defaults (e.g. remove an allowed-package-name-aliases entry), import defaults directly and build the config yourself rather than calling lockfileLintConfig():

import { defaults } from '@amedia/lockfile-lint-config';

export default {
  ...defaults,
  'allowed-package-name-aliases': defaults[
    'allowed-package-name-aliases'
  ].filter((entry) => entry !== 'wrap-ansi-cjs:wrap-ansi'),
};

Defaults

Option	Value
`type`	`npm`
`allowed-hosts`	`['npm']`
`allowed-schemes`	`['https:']`
`validate-package-names`	`true`
`empty-hostname`	`false`
`allowed-package-name-aliases`	`string-width-cjs:string-width`, `strip-ansi-cjs:strip-ansi`, `wrap-ansi-cjs:wrap-ansi`

The allowed-package-name-aliases entries silence false positives from @isaacs/cliui — a transitive dep of glob/path-scurry that intentionally aliases CJS/ESM variants of string-width, strip-ansi, and wrap-ansi.

Notes

Requires Node 22+. Pair with @amedia/kragl-lockfile-lint to run on every kragl lint.

Keywords

lockfile-lint

lockfile-lint-config

FAQs

What is @amedia/lockfile-lint-config?

Is @amedia/lockfile-lint-config well maintained?

Package last updated on 21 May 2026

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

@amedia/lockfile-lint-config