This is a
playground to test code. It runs a full
Node.js environment and already has all of
npm’s 400,000 packages pre-installed, including
lockfile-lint with all
npm packages installed. Try it out:
lockfile-lint lists no main file and has no index.js, so it can't be directly required. If this is a mistake, please let us know. It may however contain internal files that you can require manually:
This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.
A CLI to lint a lockfile for security policies
A CLI tool to lint a lockfile for security policies
npm install --save lockfile-lint
lockfile-lint can be installed per a project scope, or globally and exposes a
lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.
lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>
An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:
DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm
Example 2: specify hostnames and enforce the use of HTTPS as a protocol
lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
--type yarnis ommitted since lockfile-lint can figure it out on it's own
--allowed-hostsexplicitly set to match yarn's mirror host
Example 3: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the
git+https: as a valid URI scheme
lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --allowed-schemes "https:" "git+https:"
--allowed-hostsexplicitly set to match github.com as a host and specifies
yarnas the alias for yarn's official mirror host
--allowed-schemesis used instead of
validate-httpsand it explicitly allows both
git+https:as the HTTP Scheme for the github URL. Note that
--validate-httpsare mutually exclusive.
Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the
--allowed-urls option while all other packages must resolve to yarn as specified by
lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2
--allowed-hostsallows packages from yarn only
allowed-hostsand allows a specific Github URL to pass validation
|command line argument||description||implemented|
|path to the lockfile||✅|
|lockfile type, options are ||✅|
|validates the use of HTTPS as protocol schema for all resources in the lockfile||✅|
|validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are ||✅|
|allowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:"||✅|
|allowed URLs (e.g. ||✅|
|allow empty hostnames, or set to false if you wish for a stricter policy||✅|
|check that all resources include a checksum||❌ PRs welcome|
|check that all resources include an integrity field||❌ PRs welcome|
Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):
The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.
The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").
Please consult CONTIRBUTING for guidelines on contributing to this project.