{"id":25517,"library":"eslint-plugin-lockfile","title":"eslint-plugin-lockfile","description":"An ESLint plugin for linting npm ecosystem lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock, vlt-lock.json). Version 1.1.0 requires ESLint ^9.39.2 and Node >=22.21. Provides 6 rules including integrity verification, registry enforcement, and lockfile version/format controls. Maintained by ljharb. Differentiators: supports 5 package managers, supply-chain attack protection via integrity checks, and both flat and legacy configs.","status":"active","version":"1.1.0","language":"javascript","source_language":"en","source_url":"https://github.com/ljharb/lockfile-tools","tags":["javascript","eslint","plugin","lockfile"],"install":[{"cmd":"npm install eslint-plugin-lockfile","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-lockfile","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-lockfile","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Peer dependency: required to load and run the plugin; must be version ^9.39.2","package":"eslint","optional":false}],"imports":[{"note":"ESM-only default export; CommonJS require is not supported","wrong":"const lockfile = require('eslint-plugin-lockfile')","symbol":"lockfile","correct":"import lockfile from 'eslint-plugin-lockfile'"},{"note":"configs is not a named export; access via default import","wrong":"import { configs } from 'eslint-plugin-lockfile'","symbol":"lockfile.configs.recommended","correct":"import lockfile from 'eslint-plugin-lockfile'; ... lockfile.configs.recommended"},{"note":"rules are not named exports; access via plugin object","wrong":"import { rules } from 'eslint-plugin-lockfile'","symbol":"rules","correct":"import lockfile from 'eslint-plugin-lockfile'; lockfile.rules['lockfile/flavor']"}],"quickstart":{"code":"// Install\nnpm install eslint-plugin-lockfile --save-dev\n\n// eslint.config.js\nimport lockfile from 'eslint-plugin-lockfile';\n\nexport default [\n  lockfile.configs.recommended,\n  {\n    files: ['**/package-lock.json', '**/yarn.lock', '**/pnpm-lock.yaml', '**/bun.lock', '**/bun.lockb', '**/vlt-lock.json'],\n    plugins: { lockfile },\n    rules: {\n      'lockfile/flavor': ['error', 'npm'],\n      'lockfile/version': 'error',\n      'lockfile/integrity': 'error',\n      'lockfile/registry': 'error',\n      'lockfile/non-registry-specifiers': 'warn',\n      'lockfile/binary-conflicts': 'error',\n    },\n  },\n];\n\n// Lint lockfiles\nnpx eslint '**/package-lock.json'","lang":"javascript","description":"Shows full flat config setup with all rules enabled and linting a lockfile."},"warnings":[{"fix":"Migrate to flat config (ESLint 9+). Use 'plugin:lockfile/recommended-legacy' only if stuck on ESLint 8.","message":"ESLint 8 legacy config is available but deprecated; future versions may drop support.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Use 'lockfile.configs.recommended' with flat config instead.","message":"The 'reccommended-legacy' config is deprecated and will be removed in a future major version.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"Use ['error', ['npm']] for a single flavor, not ['error', 'npm'].","message":"Rule 'flavor' with a single string argument must be an array of flavors (e.g., ['npm', 'yarn']), not a single string.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure lockfiles are valid for the detected package manager. Test with a simple lint run first.","message":"Lockfile parsing may fail silently if the lockfile format is unsupported or malformed; errors are not always surfaced.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Add exclusions for known non-standard packages or disable integrity if using private registries without hashes.","message":"Integrity rule may produce false positives if packages are from custom registries without standard integrity fields.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Upgrade Node.js to >=22.21, >=24.11, or >=25.2.","message":"Node.js versions below ^22.21 || ^24.11 || >=25.2 are not supported.","severity":"deprecated","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Run 'npm install eslint-plugin-lockfile --save-dev'","cause":"Plugin not installed or not in node_modules","error":"Error: Failed to load plugin 'lockfile': Cannot find module 'eslint-plugin-lockfile'"},{"fix":"Use import statement: 'import lockfile from \"eslint-plugin-lockfile\"'","cause":"Plugin loaded with require() but default export is not accessed properly","error":"TypeError: lockfile.configs is undefined"},{"fix":"Configure as ['error', 'npm'] or ['error', ['npm', 'yarn']]","cause":"Rule configuration is not properly formatted as an array","error":"ESLint: Error while loading rule 'lockfile/flavor': Rule options must be an array"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}