Security News
Combatting Alert Fatigue by Prioritizing Malicious Intent
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
lock-verify
Advanced tools
The lock-verify npm package is used to verify the integrity of package-lock.json files. It ensures that the dependencies listed in the package-lock.json file are consistent with the actual installed node_modules directory. This helps in maintaining the integrity and consistency of the project dependencies.
Verify package-lock.json
This feature verifies the integrity of the package-lock.json file against the node_modules directory. If the verification is successful, it logs a success message; otherwise, it logs the errors.
const lockVerify = require('lock-verify');
lockVerify().then(result => {
if (result.status === 'success') {
console.log('package-lock.json is valid');
} else {
console.error('package-lock.json is invalid');
console.error(result.errors);
}
}).catch(err => {
console.error('An error occurred:', err);
});
npm-audit is a built-in npm command that performs a security audit of the project's dependencies. While it focuses on security vulnerabilities rather than integrity verification, it provides a comprehensive report on potential security issues in the dependencies.
Yarn is an alternative package manager to npm that also provides a lock file (yarn.lock) to ensure consistent dependency installations. Yarn has a built-in command `yarn check` that verifies the integrity of the installed packages against the yarn.lock file, similar to what lock-verify does for npm.
npm-check is a tool that checks for outdated, incorrect, and unused dependencies in a project. While it does not specifically verify the package-lock.json file, it helps in maintaining the overall health of the project's dependencies.
This module will be deprecated once npm v7 is released. Please do not rely on it more than absolutely necessary (ie, only if you are depending on it for use with npm v6 internal dependencies).
Report if your package.json is out of sync with your package-lock.json.
const lockVerify = require('lock-verify')
lockVerify(moduleDir).then(result => {
result.warnings.forEach(w => console.error('Warning:', w))
if (!result.status) {
result.errors.forEach(e => console.error(e))
process.exit(1)
}
})
As a library it's a function that takes the path to a module and returns a
promise that resolves to an object with .status
, .warnings
and .errors
properties. The first will be true if everything was ok (though warnings
may exist). If there's no package.json
or no lockfile in moduleDir
or they're
unreadable then the promise will be rejected.
FAQs
Report if your package.json is out of sync with your package-lock.json.
The npm package lock-verify receives a total of 145,182 weekly downloads. As such, lock-verify popularity was classified as popular.
We found that lock-verify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.