{"id":18501,"library":"lockfile-lint","title":"lockfile-lint","description":"lockfile-lint is a CLI tool for linting npm and Yarn lockfiles against security policies. Current stable version is 5.0.0 (requires Node >=16), with frequent patch releases. It validates package origins, HTTPS usage, allowed hosts/schemes, and integrates into CI pipelines. Unlike generic linters, it focuses on supply-chain security by enforcing policies on lockfile entries. Maintained by Liran Tal and part of the lockfile-lint project.","status":"active","version":"5.0.0","language":"javascript","source_language":"en","source_url":"https://github.com/lirantal/lockfile-lint","tags":["javascript","lockfile check","lockfile lint","lockfile","lock","lint","yarn","npm","linter"],"install":[{"cmd":"npm install lockfile-lint","lang":"bash","label":"npm"},{"cmd":"yarn add lockfile-lint","lang":"bash","label":"yarn"},{"cmd":"pnpm add lockfile-lint","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"provides the core validation logic","package":"lockfile-lint-api","optional":false}],"imports":[{"note":"ESM-only since v5; use dynamic import for CommonJS.","wrong":"const lockfileLint = require('lockfile-lint')","symbol":"default","correct":"import lockfileLint from 'lockfile-lint'"},{"note":"ESM default export also available as named export.","wrong":"const { lockfileLint } = require('lockfile-lint')","symbol":"lockfileLint","correct":"import { lockfileLint } from 'lockfile-lint'"},{"note":"Type only, requires TypeScript; not available in CJS.","symbol":"LockfileLintConfig","correct":"import type { LockfileLintConfig } from 'lockfile-lint'"}],"quickstart":{"code":"// Install: npm install --save-dev lockfile-lint\n// Run in CI or locally:\nimport lockfileLint from 'lockfile-lint';\nconst result = lockfileLint({\n  type: 'npm',\n  path: './package-lock.json',\n  validateHttps: true,\n  allowedHosts: ['registry.npmjs.org']\n});\nconsole.log(result?.message);\n// Or CLI:\n// npx lockfile-lint --type npm --path package-lock.json --validate-https --allowed-hosts registry.npmjs.org","lang":"typescript","description":"Shows programmatic usage with validation of HTTPS and allowed hosts for npm lockfile."},"warnings":[{"fix":"Convert require() to import or use dynamic import().","message":"v5.0.0 dropped CommonJS support; use ESM imports only.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Use either --allowed-schemes with specific schemes or --validate-https alone.","message":"--allowed-schemes and --validate-https are mutually exclusive.","severity":"gotcha","affected_versions":"*"},{"fix":"Ensure policy clarity: if a URL matches --allowed-urls, it bypasses host validation.","message":"--allowed-urls overrides --allowed-hosts for specific URLs.","severity":"gotcha","affected_versions":"*"},{"fix":"Upgrade Node to >=16.","message":"Node <16 support dropped in v5.","severity":"deprecated","affected_versions":">=5.0.0"},{"fix":"Always specify --type (yarn or npm) explicitly.","message":"Lockfile type detection may fail for unusual filenames.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Upgrade to v4.12.1 or later.","cause":"Bug in v4.12.0 with glob patterns in version flag.","error":"Error: lockfile-lint: --version command-line was throwing an error related to glob matching"},{"fix":"Use import lockfileLint from 'lockfile-lint' or dynamic import().","cause":"Using CommonJS require() with ESM-only version.","error":"TypeError: lockfileLint is not a function"},{"fix":"Choose one: either --allowed-schemes or --validate-https.","cause":"Mutually exclusive options.","error":"Error: lockfile-lint: --allowed-schemes and --validate-https cannot be used together"},{"fix":"Use --type npm or --type yarn (or omit for auto-detection).","cause":"Invalid lockfile type provided.","error":"Error: lockfile-lint: --type must be 'npm' or 'yarn'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}