lockfile-lint
Advanced tools
lockfile-lint is an npm package designed to validate npm/yarn/pnpm lockfiles to ensure they adhere to security and integrity policies. It helps in preventing the use of malicious or unintended dependencies by enforcing rules on the lockfile.
Validate Allowed Hosts
This feature allows you to validate that all dependencies in the lockfile are being fetched from allowed hosts. In this example, it ensures that all dependencies are fetched from 'npmjs.com'.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateHttps: true,
allowedHosts: ['npmjs.com']
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});Validate Scheme
This feature ensures that all URLs in the lockfile use the HTTPS scheme, which is more secure than HTTP.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateHttps: true
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});Validate Integrity
This feature checks that all dependencies have valid integrity hashes, ensuring that the contents have not been tampered with.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateIntegrity: true
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});npm-audit is a built-in npm tool that performs a security audit of your project's dependencies. It checks for known vulnerabilities and provides a report. Unlike lockfile-lint, npm-audit focuses on known security vulnerabilities rather than enforcing lockfile policies.
Snyk is a comprehensive security tool that scans for vulnerabilities in your dependencies, container images, and infrastructure as code. It offers more extensive security features compared to lockfile-lint, including real-time monitoring and automatic fix pull requests.
A CLI to lint a lockfile for security policies
A CLI tool to lint a lockfile for security policies
npm install --save lockfile-lint
lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>
Supported lockfiles:
package-lock.json and npm-shrinkwrap.jsonyarn.lockAn example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
Example 2: specify hostnames and enforce the use of HTTPS as a protocol
lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
--type yarn is ommitted since lockfile-lint can figure it out on it's own--allowed-hosts explicitly set to match yarn's mirror hostExample 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme
lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
--allowed-hosts explicitly set to match github.com as a host and specifies yarn as the alias for yarn's official mirror host--allowed-schemes is used instead of validate-https and it explicitly allows both https: and git+https: as the HTTP Scheme for the github URL. Note that --allowed-schemes and --validate-https are mutually exclusive.Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts
lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
--allowed-hosts allows packages from yarn only--allowed-urls overrides allowed-hosts and allows a specific Github URL to pass validation| command line argument | description | implemented |
|---|---|---|
--path, -p | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: -p '/Users/lirantal/repos/**/package-lock.json' to match multiple lockfiles | ✅ |
--type, -t | lockfile type, options are npm or yarn | ✅ |
--format, -f | sets what type of report output is desired, one of [ pretty, plain ] with plain removing colors & status symbols from output | ✅ |
--validate-https, -s | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ |
--allowed-hosts, -a | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively | ✅ |
--allowed-schemes, -o | allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:" | ✅ |
--allowed-urls, -u | allowed URLs (e.g. https://github.com/some-org/some-repo#some-hash) | ✅ |
--empty-hostname, -e | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ |
--validate-package-names, -n | validates that the resolved URL matches the package name | ✅ |
--validate-integrity, -i | validates the integrity field is a sha512 hash | ✅ |
--allowed-package-name-aliases, -l | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: string-width-cjs:string-width) | ✅ |
--integrity-exclude | exclude packages from the --validate-integrity check | ✅ |
Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):
The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.
The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").
Please consult CONTRIBUTING for guidelines on contributing to this project.
lockfile-lint © Liran Tal, Released under the Apache-2.0 License.
FAQs
A CLI to lint a lockfile for security policies
The npm package lockfile-lint receives a total of 42,944 weekly downloads. As such, lockfile-lint popularity was classified as popular.
We found that lockfile-lint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.