package-lock-audit

    1.0.2 • Public • Published

    package-lock-audit

    A simple audit/lint/security tool for checking npm package-lock.json files against the following security issues:

    • Missing integrity properties
    • http instead of https resolved properties
    • resolved URLs pointing at non-npmjs.org repositories
    • Mismatches between dependency version and resolved URL version
    • Mismatches between dependency package names and resolved URL names

    It returns a non-zero exit code in the event of errors, so is suitable for use in a CI pipeline.

    Usage

    • npx package-lock-audit [...package-lock.json]

    or

    const audit = require('package-lock-audit').audit;
    
    // read package-lock.json
    
    const options = { verbose: false };
    try {
      audit(lockfileObj, options);
    }
    catch (ex) {
      // ...
    }

    TODO

    • Optionally support other repository URL patterns
    • Optionally support git:// protocol / GitHub dependencies
    • Support lockfileVersion 2

    Out of Scope

    Install

    npm i package-lock-audit

    DownloadsWeekly Downloads

    112

    Version

    1.0.2

    License

    MIT

    Unpacked Size

    4.81 kB

    Total Files

    6

    Last publish

    Collaborators

    • mermade