Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

lockfile-lint-api

Package Overview
Dependencies
Maintainers
1
Versions
55
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

lockfile-lint-api

Lint an npm or yarn lockfile to analyze and detect issues

  • 1.0.1
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
61K
decreased by-51.95%
Maintainers
1
Weekly downloads
 
Created
Source

lockfile-lint-api

Lint an npm or yarn lockfile to analyze and detect issues

npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure

About

Lints an npm or yarn lockfile to analyze and detect issues

NOTE: currently only yarn's yarn.lock is supported. PRs to support npm's package-lock.json are welcome 🤗

Install

npm install --save lockfile-lint-api

Usage

lockfile-lint-api exposes a set of validator APIs that can be used for programmatic use-cases, such as being employed by other tools and programs if needed.

Validators

The following lockfile validators are supported

Validator APIdescriptionimplemented
ValidateHttpsvalidates the use of HTTPS as protocol schema for all resources
ValidateHostvalidates a whitelist of allowed hosts to be used for resources in the lockfile

Example

const {ValidateHost, ParseLockFile} = require('lockfile-lint-api')

// path to the lockfile
const yarnLockFilePath = '/path/to/my/yarn.lock'
const options = {
  lockFilePath: yarnLockFilePath
}

// instantiate a new parser with options object
const parser = new ParseLockFile(options)

// read the file synchronously and parses it
// providing back an object that is compatible
// with the @yarn/lockfile library which has
// all the packages listed in `lockfile.object`
const lockfile = parser.parseSync()

// now instantiate a validator object with those
// list of packages
const validator = new ValidateHost({packages: lockfile.object})
try {
  // validation is synchronous and is being called
  // with 'npm' as a shortcut for the npm registry
  // host to validate all lockfile resources are
  // whitelisted to the npm host
  validator.validate(['npm'])
} catch (error) {
  // may throw an error: detected invalid origin for package
}

Contributing

Please consult CONTIRBUTING for guidelines on contributing to this project.

Author

lockfile-lint-api © Liran Tal, Released under the Apache-2.0 License.

Keywords

FAQs

Package last updated on 11 Jun 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc