Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
lockfile-lint
Advanced tools
lockfile-lint - npm Package Compare versions
Comparing version 4.12.1 to 4.13.0
@@ -84,3 +84,4 @@ #!/usr/bin/env node | ||
| allowedUrls: config['allowed-urls'], | ||
| allowedPackageNameAliases: config['allowed-package-name-aliases'] | ||
| allowedPackageNameAliases: config['allowed-package-name-aliases'], | ||
| integrityExclude: config['integrity-exclude'] | ||
| } | ||
@@ -87,0 +88,0 @@ }) |
| { | ||
| "name": "lockfile-lint", | ||
| "version": "4.12.1", | ||
| "version": "4.13.0", | ||
| "description": "A CLI to lint a lockfile for security policies", | ||
@@ -58,3 +58,3 @@ "bin": { | ||
| "fast-glob": "^3.3.1", | ||
| "lockfile-lint-api": "^5.8.0", | ||
| "lockfile-lint-api": "^5.9.0", | ||
| "yargs": "^17.7.2" | ||
@@ -61,0 +61,0 @@ }, |
@@ -81,13 +81,14 @@ <p align="center"><h1 align="center"> | ||
| |----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| | ||
| | `--path`, `-p` | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: `-p '/Users/lirantal/repos/**/package-lock.json'` to match multiple lockfiles | ✅ | | ||
| | `--type`, `-t` | lockfile type, options are `npm` or `yarn` | ✅ | | ||
| | `--format`, `-f` | sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output | ✅ | | ||
| | `--validate-https`, `-s` | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | ||
| | `--allowed-hosts`, `-a` | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅ | | ||
| | `--allowed-schemes`, `-o` | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | | ||
| | `--allowed-urls`, `-u` | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) | ✅ | | ||
| | `--empty-hostname`, `-e` | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | ||
| | `--validate-package-names`, `-n` | validates that the resolved URL matches the package name | ✅ | | ||
| | `--validate-integrity`, `-i` | validates the integrity field is a sha512 hash | ✅ | | ||
| | `--allowed-package-name-aliases`, `-l` | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: `string-width-cjs:string-width`) | ✅ | | ||
| | `--path`, `-p` | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: `-p '/Users/lirantal/repos/**/package-lock.json'` to match multiple lockfiles | ✅ | | ||
| | `--type`, `-t` | lockfile type, options are `npm` or `yarn` | ✅ | | ||
| | `--format`, `-f` | sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output | ✅ | | ||
| | `--validate-https`, `-s` | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | ||
| | `--allowed-hosts`, `-a` | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅ | | ||
| | `--allowed-schemes`, `-o` | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | | ||
| | `--allowed-urls`, `-u` | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) | ✅ | | ||
| | `--empty-hostname`, `-e` | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | ||
| | `--validate-package-names`, `-n` | validates that the resolved URL matches the package name | ✅ | | ||
| | `--validate-integrity`, `-i` | validates the integrity field is a sha512 hash | ✅ | | ||
| | `--allowed-package-name-aliases`, `-l` | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: `string-width-cjs:string-width`) | ✅ | | ||
| | `--integrity-exclude` | exclude packages from the `--validate-integrity` check | ✅ | | ||
@@ -94,0 +95,0 @@ # File-Based Configuration |
@@ -88,2 +88,6 @@ 'use strict' | ||
| }, | ||
| 'integrity-exclude': { | ||
| type: 'array', | ||
| describe: 'do not validate integrity for these package' | ||
| }, | ||
| format: { | ||
@@ -90,0 +94,0 @@ alias: ['f'], |
@@ -137,3 +137,3 @@ 'use strict' | ||
| return validator.validate() | ||
| return validator.validate(validatorOptions) | ||
| } |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.48%
37659
- Lines of code
- increased by1.26%
401
- Number of lines in readme file
- increased by0.88%
114
Dependency changes
Updatedlockfile-lint-api@^5.9.0