package-lock-audit

Audit npm package-lock.json for security issues

Usage no npm install needed!

<script type="module">
  import packageLockAudit from 'https://cdn.skypack.dev/package-lock-audit';
</script>

README

package-lock-audit

A simple audit/lint/security tool for checking npm package-lock.json files against the following security issues:

Missing integrity properties
http instead of https resolved properties
resolved URLs pointing at non-npmjs.org repositories
Mismatches between dependency version and resolved URL version
Mismatches between dependency package names and resolved URL names

It returns a non-zero exit code in the event of errors, so is suitable for use in a CI pipeline.

Usage

npx package-lock-audit [...package-lock.json]

or

const audit = require('package-lock-audit').audit;

// read package-lock.json

const options = { verbose: false };
try {
  audit(lockfileObj, options);
}
catch (ex) {
  // ...
}

TODO

Optionally support other repository URL patterns
Optionally support git:// protocol / GitHub dependencies
Support lockfileVersion 2

Out of Scope

Support for yarn - see https://github.com/lirantal/lockfile-lint