pnpm-lock-to-npm-lock
v1.0.0
Published
Tool to convert a pnpm-lock.yaml into a package-lock.json
Downloads
298
Readme
PNPM Lock to NPM Lock
This script is used to convert a pnpm-lock.yaml
file to a package-lock.json
file for audit scan purposes only.
Successful scanning is accomplished by preserving all dependency sha's for security scanning tools like
Prisma, Twistlock,
Checkov, etc which support scanning npm's package-lock.json
out of the box.
This is not intended to be used to convert a project from pnpm to npm.
Overview
To execute this tool script:
# with npx
npx pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>
# otherwise
npm i -g pnpm-lock-to-npm-lock
pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>
Rush monorepos
If running in a Rush monorepo, where the monorepo's pnpm lockfile
is held within a config
directory, you can execute with a contextual environment variable.
RUNTIME_CONTEXT=RUSH_MONOREPO npx pnpm-lock-to-npm-lock
Support for other monorepos and out-of-the-box repo configurations is not yet implemented,
but provision of a proper path to any pnpm-lock.yaml
will create a scannable
package-lock.json
in that same directory.
Contributing
We'd love your help maintaining and extending pnpm-lock-to-npm-lock
!
To test the tool within this repo: npx . pnpm-lock.yaml
Please update the CHANGELOG.md
and follow Semver with any contributions.