npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

lockfile-lint

v4.14.0

Published

A CLI to lint a lockfile for security policies

Downloads

883,195

Readme

About

A CLI tool to lint a lockfile for security policies

Install

npm install --save lockfile-lint

Usage

lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>

Supported lockfiles:

  • npm's package-lock.json and npm-shrinkwrap.json
  • yarn's yarn.lock

Example

An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

Example 2: specify hostnames and enforce the use of HTTPS as a protocol

lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
  • --type yarn is ommitted since lockfile-lint can figure it out on it's own
  • --allowed-hosts explicitly set to match yarn's mirror host

Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the git+https: as a valid URI scheme

lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
  • --allowed-hosts explicitly set to match github.com as a host and specifies yarn as the alias for yarn's official mirror host
  • --allowed-schemes is used instead of validate-https and it explicitly allows both https: and git+https: as the HTTP Scheme for the github URL. Note that --allowed-schemes and --validate-https are mutually exclusive.

Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts

lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
  • --allowed-hosts allows packages from yarn only
  • --allowed-urls overrides allowed-hosts and allows a specific Github URL to pass validation

CLI command options

| command line argument | description | implemented | |----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| | --path, -p | path to the lockfile but you can also provide a glob matching pattern as long as it isn't expanded by a shell like bash or zsh. If that's the case, you can provide it as a string, for example: -p '/Users/lirantal/repos/**/package-lock.json' to match multiple lockfiles | ✅ | | --type, -t | lockfile type, options are npm or yarn | ✅ | | --format, -f | sets what type of report output is desired, one of [ pretty, plain ] with plain removing colors & status symbols from output | ✅ | | --validate-https, -s | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | --allowed-hosts, -a | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs https://registry.npmjs.org, https://registry.yarnpkg.com and https://registry.verdaccio.org respectively | ✅ | | --allowed-schemes, -o | allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | | --allowed-urls, -u | allowed URLs (e.g. https://github.com/some-org/some-repo#some-hash) | ✅ | | --empty-hostname, -e | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | --validate-package-names, -n | validates that the resolved URL matches the package name | ✅ | | --validate-integrity, -i | validates the integrity field is a sha512 hash | ✅ | | --allowed-package-name-aliases, -l | allow package name aliases to be used by specifying package name and their alias as pairs (e.g: string-width-cjs:string-width) | ✅ | | --integrity-exclude | exclude packages from the --validate-integrity check | ✅ |

File-Based Configuration

Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):

  • A "lockfile-lint" key in your package.json file.
  • A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
  • A .lockfile-lint.js or lockfile-lint.config.js file that exports an object.
  • A .lockfile-lint.toml file, written in TOML (the .toml extension is required).

The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.

The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").

Contributing

Please consult CONTRIBUTING for guidelines on contributing to this project.

Author

lockfile-lint © Liran Tal, Released under the Apache-2.0 License.