Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including lockfile-lint with all npm packages installed. Try it out:

lockfile-lint lists no main file and has no index.js, so it can't be directly required. If this is a mistake, please let us know. It may however contain internal files that you can require manually:

// require("lockfile-lint/[??]")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

lockfile-lint v4.3.7

A CLI to lint a lockfile for security policies


A CLI to lint a lockfile for security policies

npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure


A CLI tool to lint a lockfile for security policies


npm install --save lockfile-lint


lockfile-lint can be installed per a project scope, or globally and exposes a lockfile-lint executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies.

lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match> --allowed-urls <urls-to-match>

Supported lockfiles:

  • npm's package-lock.json and npm-shrinkwrap.json
  • yarn's yarn.lock


An example of running the linter with debug output for a yarn lockfile and asserting that all resources are using the official npm registry as source for packages:

DEBUG=* lockfile-lint --path yarn.lock --type yarn --allowed-hosts npm

Example 2: specify hostnames and enforce the use of HTTPS as a protocol

lockfile-lint --path yarn.lock --allowed-hosts --validate-https
  • --type yarn is ommitted since lockfile-lint can figure it out on it's own
  • --allowed-hosts explicitly set to match yarn's mirror host

Example 3: allow the lockfile to contain packages served over github and so need to specify as a host as well as the git+https: as a valid URI scheme

lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-schemes "https:" "git+https:"
  • --allowed-hosts explicitly set to match as a host and specifies yarn as the alias for yarn's official mirror host
  • --allowed-schemes is used instead of validate-https and it explicitly allows both https: and git+https: as the HTTP Scheme for the github URL. Note that --allowed-schemes and --validate-https are mutually exclusive.

Example 4: allow the lockfile to contain a package which resolves to a specific URL specified by the --allowed-urls option while all other packages must resolve to yarn as specified by --allowed-hosts

lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls
  • --allowed-hosts allows packages from yarn only
  • --allowed-urls overrides allowed-hosts and allows a specific Github URL to pass validation

CLI command options

command line argumentdescriptionimplemented
--path, -ppath to the lockfile
--type, -tlockfile type, options are npm or yarn
--validate-https, -svalidates the use of HTTPS as protocol schema for all resources in the lockfile
--allowed-hosts, -avalidates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are npm, yarn, and verdaccio which will match URLs, and respectively
--allowed-schemes, -oallowed URI schemes such as "https:", "http", "git+ssh:", or "git+https:"
--allowed-urls, -uallowed URLs (e.g.
--empty-hostname, -eallow empty hostnames, or set to false if you wish for a stricter policy
--validate-checksum, -ccheck that all resources include a checksum❌ PRs welcome
--validate-integrity, -icheck that all resources include an integrity field❌ PRs welcome

File-Based Configuration

Lockfile-lint uses cosmiconfig for configuration file support. This means you can configure the above options via (in order of precedence):

  • A "lockfile-lint" key in your package.json file.
  • A .lockfile-lintrc file, written in JSON or YAML, with optional extensions: .json/.yaml/.yml (without extension takes precedence).
  • A .lockfile-lint.js or lockfilelint.config.js file that exports an object.
  • A .lockfile-lint.toml file, written in TOML (the .toml extension is required).

The configuration file will be resolved starting from the current working directory, and searching up the file tree until a config file is (or isn't) found. Command-line options take precedence over any file-based configuration.

The options accepted in the configuration file are the same as the options above in camelcase (e.g. "path", "allowedHosts").


Please consult CONTIRBUTING for guidelines on contributing to this project.


lockfile-lint © Liran Tal, Released under the Apache-2.0 License.

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free