#npm #package-lock #json #linter #channel #secure #analysis

app package-lock-lint

linter for npm's package-lock.json

7 releases

0.2.4 Feb 5, 2024
0.2.3 Oct 7, 2022
0.2.2 Jan 15, 2022
0.2.1 Sep 27, 2021
0.1.1 May 21, 2021

#372 in Development tools


199 lines


A tool to lint npm's package-lock.json files at a basic level since they're impossible to review manually.

$ package-lock-lint /my/package-lock.json

Current checks:

  • Matches overall schema
  • Dependencies resolve to valid URLs (catches T278857)
  • Dependencies are downloaded over secure channels (HTTPS or SSH)
  • Package - is not depended upon (typo)

See T242058: Add some form of static analysis for package-lock.json for discussion and inspiration that let to this tool.

(C) 2021 Kunal Mehta, under the GPL v3 or any later version.


~92K SLoC