What is lockfile-lint?
lockfile-lint is an npm package designed to validate npm/yarn/pnpm lockfiles to ensure they adhere to security and integrity policies. It helps in preventing the use of malicious or unintended dependencies by enforcing rules on the lockfile.
What are lockfile-lint's main functionalities?
Validate Allowed Hosts
This feature allows you to validate that all dependencies in the lockfile are being fetched from allowed hosts. In this example, it ensures that all dependencies are fetched from 'npmjs.com'.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateHttps: true,
allowedHosts: ['npmjs.com']
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});
Validate Scheme
This feature ensures that all URLs in the lockfile use the HTTPS scheme, which is more secure than HTTP.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateHttps: true
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});
Validate Integrity
This feature checks that all dependencies have valid integrity hashes, ensuring that the contents have not been tampered with.
const { lint } = require('lockfile-lint');
lint({
path: './package-lock.json',
type: 'npm',
validateIntegrity: true
}).then(results => {
console.log(results);
}).catch(err => {
console.error(err);
});
Other packages similar to lockfile-lint
npm-audit
npm-audit is a built-in npm tool that performs a security audit of your project's dependencies. It checks for known vulnerabilities and provides a report. Unlike lockfile-lint, npm-audit focuses on known security vulnerabilities rather than enforcing lockfile policies.
snyk
Snyk is a comprehensive security tool that scans for vulnerabilities in your dependencies, container images, and infrastructure as code. It offers more extensive security features compared to lockfile-lint, including real-time monitoring and automatic fix pull requests.
lockfile-lint
A CLI to lint a lockfile for security policies
About
A CLI tool to lint a lockfile for security policies
Install
npm install --save lockfile-lint
Usage
lockfile-lint
can be installed per a project scope, or globally and exposes a lockfile-lint
executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match>
Example
An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
Example 2: specify hostnames and enforce the use of HTTPS as a protocol
lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
--type yarn
is ommitted since lockfile-lint can figure it out on it's own--allowed-hosts
explicitly set to match yarn's mirror host
Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https:
as a valid URI scheme
lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https --allowed-schemes "https:" "git+https:"
--allowed-hosts
explicitly set to match github.com as a host and specifies yarn
as the alias for yarn's official mirror host--allowed-schemes
overrides validate-https
and so it explicitly allows both https:
and git+https:
for the github URL
CLI command options
command line argument | description | implemented |
---|
--path , -p | path to the lockfile | ✅ |
--type , -t | lockfile type, options are npm or yarn | ✅ |
--validate-https , -s | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ |
--allowed-hosts , -a | validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm , yarn , and verdaccio which will match URLs https://registry.npmjs.org , https://registry.yarnpkg.com and https://registry.verdaccio.org respectively | ✅ |
--allowed-schemes , -o | allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:" | ✅ |
--validate-checksum , -c | check that all resources include a checksum | ❌ PRs welcome |
--validate-integrity , -i | check that all resources include an integrity field | ❌ PRs welcome |
Contributing
Please consult CONTIRBUTING for guidelines on contributing to this project.
Author
lockfile-lint © Liran Tal, Released under the Apache-2.0 License.