Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
lockfile-lint-api
Advanced tools
Lint an npm or yarn lockfile to analyze and detect issues
Lints an npm or yarn lockfile to analyze and detect issues
npm install --save lockfile-lint-api
lockfile-lint-api
exposes a set of validator APIs that can be used for programmatic use-cases, such as being employed by other tools and programs if needed.
The following lockfile validators are supported
Validator API | description | implemented |
---|---|---|
ValidateHttps | validates the use of HTTPS as protocol schema for all resources | ✅ |
ValidateHost | validates a whitelist of allowed hosts to be used for resources in the lockfile | ✅ |
ValidatePackageNames | validates that the resolved URL matches the package name | ✅ |
ValidateScheme | validates a whitelist of allowed URI schemes to be used for hosts | ✅ |
ValidateIntegrity | validates that the integrity hash type is sha512 | ✅ |
NOTE: package entries without a resolved
field (for example, those installed from the local filesystem) will automatically pass all url-based validators.
When validators encounter errors they will throw an exception, and on either success or failure in validating data they will always return a descriptive object for the validation task.
When validation is successful the following object will be returned from the validating function:
{
"type": "success",
"errors": []
}
When validation has failed the following object will be returned from the validating function:
{
"type": "error",
"errors": [
{
"package": "@babel/cli",
"message": "detected invalid origin for package: @babel/cli"
}
]
}
Notes about the returned object:
package
property and other metadata depends on the specific validators being usedconst validator = new ValidateHost({packages: lockfile.object})
let result
try {
result = validator.validate(['npm'])
} catch (error) {
// something bad happened during validation and the validation
// process couldn't take place
}
console.log(result)
/* prints
{
"type": "error",
"errors": [
{
"message": "detected invalid origin for package: meow",
"package": "meow"
}
]
}
*/
const {ValidateHost, ParseLockfile} = require('lockfile-lint-api')
// path to the lockfile
const yarnLockfilePath = '/path/to/my/yarn.lock'
const options = {
lockfilePath: yarnLockfilePath
}
// instantiate a new parser with options object
const parser = new ParseLockfile(options)
// read the file synchronously and parses it
// providing back an object that is compatible
// with the @yarn/lockfile library which has
// all the packages listed in `lockfile.object`
const lockfile = parser.parseSync()
// now instantiate a validator object with those
// list of packages
const validator = new ValidateHost({packages: lockfile.object})
let result
try {
// validation is synchronous and is being called
// with 'npm' as a shortcut for the npm registry
// host to validate all lockfile resources are
// whitelisted to the npm host
result = validator.validate(['npm'])
} catch (error) {
// couldn't process the validation
}
if (result.type === 'success') {
// validation succeeded
}
Please consult CONTRIBUTING for guidelines on contributing to this project.
lockfile-lint-api © Liran Tal, Released under the Apache-2.0 License.
FAQs
Lint an npm or yarn lockfile to analyze and detect issues
The npm package lockfile-lint-api receives a total of 43,663 weekly downloads. As such, lockfile-lint-api popularity was classified as popular.
We found that lockfile-lint-api demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.