Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

lintlock

Package Overview
Dependencies
Maintainers
1
Versions
2
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

lintlock

CLI for eslint-plugin-lockfile

latest
Source
npmnpm
Version
1.0.1
Version published
Maintainers
1
Created
Source

lintlock Version Badge

github actions coverage License Downloads

npm badge

CLI for linting npm ecosystem lockfiles for security and consistency issues.

A standalone CLI wrapper around eslint-plugin-lockfile that works without any ESLint configuration.

Installation

npm install -g lintlock

Or use with npx:

npx lintlock

Usage

lintlock [options] [lockfile-path]

If no lockfile path is provided, searches the current directory for lockfiles.

Options

OptionAliasDescription
--flavor <pm>-fAllowed package manager(s): npm, yarn, pnpm, bun, vlt. Can be specified multiple times. Defaults to auto-detect.
--registry <url>-rAllowed registry URL(s). Can be specified multiple times. Defaults to npm config.
--algorithms <alg>-aAllowed integrity hash algorithm(s): sha1, sha256, sha384, sha512. Can be specified multiple times. Defaults to all.
--helpShow help message

Examples

Basic Usage

Lint lockfile in current directory:

lintlock

Lint a specific lockfile:

lintlock package-lock.json
lintlock /path/to/project/yarn.lock

Restrict Package Managers

Allow only npm lockfiles:

lintlock -f npm

Allow npm or yarn:

lintlock -f npm -f yarn

Restrict Registries

Require packages from the official npm registry:

lintlock -r https://registry.npmjs.org/

Allow multiple registries:

lintlock -r https://registry.npmjs.org/ -r https://npm.pkg.github.com/

Restrict Integrity Algorithms

Require SHA-512 integrity hashes:

lintlock -a sha512

Allow SHA-512 or SHA-384:

lintlock -a sha512 -a sha384

Combined Options

lintlock -f npm -r https://registry.npmjs.org/ -a sha512 package-lock.json

Exit Codes

CodeDescription
0No errors found (warnings are OK)
1Errors found or execution failed

Supported Lockfiles

Package ManagerLockfile(s)
npmpackage-lock.json, npm-shrinkwrap.json
yarnyarn.lock
pnpmpnpm-lock.yaml
bunbun.lock, bun.lockb
vltvlt-lock.json

Rules

The CLI runs the following checks from eslint-plugin-lockfile:

  • flavor - Ensures only allowed lockfile formats are present
  • version - Validates lockfile version
  • integrity - Verifies all packages have valid integrity hashes
  • registry - Ensures packages come from allowed registries
  • non-registry-specifiers - Warns on non-registry dependencies (GitHub, git, file paths)
  • binary-conflicts - Detects binary name conflicts between packages

Programmatic Usage

import { lintLockfile } from 'lintlock';

const exitCode = await lintLockfile('/path/to/package-lock.json', {
	flavor: ['npm'],
	registry: ['https://registry.npmjs.org/'],
	algorithms: ['sha512'],
});

process.exit(exitCode);

Related

Tests

Clone the repo, npm install, and run npm test.

License

MIT

Keywords

eslint
lockfile
cli
lint

FAQs

Package last updated on 22 Dec 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Temporal API Ships in Chrome 144, Marking a Major Shift for JavaScript Date Handling

Security News

Temporal API Ships in Chrome 144, Marking a Major Shift for JavaScript Date Handling

Chrome 144 introduces the Temporal API, a modern approach to date and time handling designed to fix long-standing issues with JavaScript’s Date object.

By Sarah Gooding  -  Jan 16, 2026