lockfile-lint

What is lockfile-lint?

lockfile-lint is an npm package designed to validate npm/yarn/pnpm lockfiles to ensure they adhere to security and integrity policies. It helps in preventing the use of malicious or unintended dependencies by enforcing rules on the lockfile.

What are lockfile-lint's main functionalities?

Validate Allowed Hosts

This feature allows you to validate that all dependencies in the lockfile are being fetched from allowed hosts. In this example, it ensures that all dependencies are fetched from 'npmjs.com'.

const { lint } = require('lockfile-lint');

lint({
  path: './package-lock.json',
  type: 'npm',
  validateHttps: true,
  allowedHosts: ['npmjs.com']
}).then(results => {
  console.log(results);
}).catch(err => {
  console.error(err);
});

Validate Scheme

This feature ensures that all URLs in the lockfile use the HTTPS scheme, which is more secure than HTTP.

const { lint } = require('lockfile-lint');

lint({
  path: './package-lock.json',
  type: 'npm',
  validateHttps: true
}).then(results => {
  console.log(results);
}).catch(err => {
  console.error(err);
});

Validate Integrity

This feature checks that all dependencies have valid integrity hashes, ensuring that the contents have not been tampered with.

const { lint } = require('lockfile-lint');

lint({
  path: './package-lock.json',
  type: 'npm',
  validateIntegrity: true
}).then(results => {
  console.log(results);
}).catch(err => {
  console.error(err);
});

Other packages similar to lockfile-lint

npm-audit

npm-audit is a built-in npm tool that performs a security audit of your project's dependencies. It checks for known vulnerabilities and provides a report. Unlike lockfile-lint, npm-audit focuses on known security vulnerabilities rather than enforcing lockfile policies.

snyk

Snyk is a comprehensive security tool that scans for vulnerabilities in your dependencies, container images, and infrastructure as code. It offers more extensive security features compared to lockfile-lint, including real-time monitoring and automatic fix pull requests.

README

lockfile-lint

A CLI to lint a lockfile for security policies

About

A CLI tool to lint a lockfile for security policies

Install

npm install --save lockfile-lint

Usage

lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <URL-to-match>

Example

An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

CLI command options

command line argument	description	implemented
--path, -p	path to the lockfile	✅
--type, -t	lockfile type, options are npm or yarn	✅
--validate-https, -s	validates the use of HTTPS as protocol schema for all resources in the lockfile	✅
--allowed-hosts, -a	validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively	✅

Contributing

Please consult CONTIRBUTING for guidelines on contributing to this project.

Author

lockfile-lint © Liran Tal, Released under the Apache-2.0 License.