#npm #package-lock

app package-lock-lint

linter for npm’s package-lock.json

3 unstable releases

0.2.0 Sep 5, 2021
0.1.1 May 21, 2021
0.1.0 May 19, 2021

#638 in Command line utilities


196 lines


A tool to lint npm's package-lock.json files at a basic level since they're impossible to review manually.

$ package-lock-lint /my/package-lock.json

Current checks:

  • Matches overall schema
  • Dependencies resolve to valid URLs (catches T278857)
  • Dependencies are downloaded over secure channels (HTTPS or SSH)
  • Package - is not depended upon (typo)

See T242058: Add some form of static analysis for package-lock.json for discussion and inspiration that let to this tool.

(C) 2021 Kunal Mehta, under the GPL v3 or any later version.


~90K SLoC