Get unlimited public & private packages + team-based management with npm Teams.Learn more »


4.0.0 • Public • Published


A CLI to lint a lockfile for security policies

npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure


A CLI tool to lint a lockfile for security policies


npm install --save lockfile-lint


lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match>

Supported lockfiles:

  • npm's package-lock.json and npm-shrinkwrap.json
  • yarn's yarn.lock


An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

Example 2: specify hostnames and enforce the use of HTTPS as a protocol

lockfile-lint --path yarn.lock --allowed-hosts --validate-https
  • --type yarn is ommitted since lockfile-lint can figure it out on it's own
  • --allowed-hosts explicitly set to match yarn's mirror host

Example 3: allow the lockfile to contain packages served over github and so need to specify as a host as well as the git+https: as a valid URI scheme

lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https --allowed-schemes "https:" "git+https:"
  • --allowed-hosts explicitly set to match as a host and specifies yarn as the alias for yarn's official mirror host
  • --allowed-schemes overrides validate-https and so it explicitly allows both https: and git+https: for the github URL

CLI command options

command line argument description implemented
--path, -p path to the lockfile
--type, -t lockfile type, options are npm or yarn
--validate-https, -s validates the use of HTTPS as protocol schema for all resources in the lockfile
--allowed-hosts, -a validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs, and respectively
--allowed-schemes, -o allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:"
--empty-hostname, -e allow empty hostnames, or set to false if you wish for a stricter policy
--validate-checksum, -c check that all resources include a checksum ❌ PRs welcome
--validate-integrity, -i check that all resources include an integrity field ❌ PRs welcome


Please consult CONTIRBUTING for guidelines on contributing to this project.


lockfile-lint © Liran Tal, Released under the Apache-2.0 License.


npm i lockfile-lint

DownloadsWeekly Downloads






Unpacked Size

38.2 kB

Total Files


Last publish


  • avatar