Get unlimited public & private packages + team-based management with npm Teams.Learn more »

lockfile-lint

4.0.0 • Public • Published

lockfile-lint

A CLI to lint a lockfile for security policies

npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure

About

A CLI tool to lint a lockfile for security policies

Install

npm install --save lockfile-lint

Usage

lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match>

Supported lockfiles:

  • npm's package-lock.json and npm-shrinkwrap.json
  • yarn's yarn.lock

Example

An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

Example 2: specify hostnames and enforce the use of HTTPS as a protocol

lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
  • --type yarn is ommitted since lockfile-lint can figure it out on it's own
  • --allowed-hosts explicitly set to match yarn's mirror host

Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme

lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https --allowed-schemes "https:" "git+https:"
  • --allowed-hosts explicitly set to match github.com as a host and specifies yarn as the alias for yarn's official mirror host
  • --allowed-schemes overrides validate-https and so it explicitly allows both https: and git+https: for the github URL

CLI command options

command line argument description implemented
--path, -p path to the lockfile
--type, -t lockfile type, options are npm or yarn
--validate-https, -s validates the use of HTTPS as protocol schema for all resources in the lockfile
--allowed-hosts, -a validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively
--allowed-schemes, -o allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:"
--empty-hostname, -e allow empty hostnames, or set to false if you wish for a stricter policy
--validate-checksum, -c check that all resources include a checksum ❌ PRs welcome
--validate-integrity, -i check that all resources include an integrity field ❌ PRs welcome

Contributing

Please consult CONTIRBUTING for guidelines on contributing to this project.

Author

lockfile-lint © Liran Tal, Released under the Apache-2.0 License.

Install

npm i lockfile-lint

DownloadsWeekly Downloads

24,014

Version

4.0.0

License

Apache-2.0

Unpacked Size

38.2 kB

Total Files

8

Last publish

Collaborators

  • avatar