lockfile-lint-api

lockfile-lint-api

Lint an npm or yarn lockfile to analyze and detect issues

About

Lints an npm or yarn lockfile to analyze and detect issues

NOTE: currently only yarn's yarn.lock is supported. PRs to support npm's package-lock.json are welcome 🤗

Install

npm install --save lockfile-lint-api

Usage

lockfile-lint-api exposes a set of validator APIs that can be used for programmatic use-cases, such as being employed by other tools and programs if needed.

Validators

The following lockfile validators are supported

Validator API	description	implemented
ValidateHttps	validates the use of HTTPS as protocol schema for all resources	✅
ValidateHost	validates a whitelist of allowed hosts to be used for resources in the lockfile	✅

Example

const {ValidateHost, ParseLockFile} = require('lockfile-lint-api')

// path to the lockfile
const yarnLockFilePath = '/path/to/my/yarn.lock'
const options = {
  lockFilePath: yarnLockFilePath
}

// instantiate a new parser with options object
const parser = new ParseLockFile(options)

// read the file synchronously and parses it
// providing back an object that is compatible
// with the @yarn/lockfile library which has
// all the packages listed in `lockfile.object`
const lockfile = parser.parseSync()

// now instantiate a validator object with those
// list of packages
const validator = new ValidateHost({packages: lockfile.object})
try {
  // validation is synchronous and is being called
  // with 'npm' as a shortcut for the npm registry
  // host to validate all lockfile resources are
  // whitelisted to the npm host
  validator.validate(['npm'])
} catch (error) {
  // may throw an error: detected invalid origin for package
}

Contributing

Please consult CONTIRBUTING for guidelines on contributing to this project.

Author

lockfile-lint-api © Liran Tal, Released under the Apache-2.0 License.