eslint-plugin-lockfile

1.1.0 verified Fri May 01 auth: no javascript

An ESLint plugin for linting npm ecosystem lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock, vlt-lock.json). Version 1.1.0 requires ESLint ^9.39.2 and Node >=22.21. Provides 6 rules including integrity verification, registry enforcement, and lockfile version/format controls. Maintained by ljharb. Differentiators: supports 5 package managers, supply-chain attack protection via integrity checks, and both flat and legacy configs.

Common errors

error Error: Failed to load plugin 'lockfile': Cannot find module 'eslint-plugin-lockfile' ↓

cause Plugin not installed or not in node_modules

fix

Run 'npm install eslint-plugin-lockfile --save-dev'

error TypeError: lockfile.configs is undefined ↓

cause Plugin loaded with require() but default export is not accessed properly

fix

Use import statement: 'import lockfile from "eslint-plugin-lockfile"'

error ESLint: Error while loading rule 'lockfile/flavor': Rule options must be an array ↓

cause Rule configuration is not properly formatted as an array

fix

Configure as ['error', 'npm'] or ['error', ['npm', 'yarn']]

Warnings

breaking ESLint 8 legacy config is available but deprecated; future versions may drop support. ↓

fix Migrate to flat config (ESLint 9+). Use 'plugin:lockfile/recommended-legacy' only if stuck on ESLint 8.

deprecated The 'reccommended-legacy' config is deprecated and will be removed in a future major version. ↓

fix Use 'lockfile.configs.recommended' with flat config instead.

gotcha Rule 'flavor' with a single string argument must be an array of flavors (e.g., ['npm', 'yarn']), not a single string. ↓

fix Use ['error', ['npm']] for a single flavor, not ['error', 'npm'].

gotcha Lockfile parsing may fail silently if the lockfile format is unsupported or malformed; errors are not always surfaced. ↓

fix Ensure lockfiles are valid for the detected package manager. Test with a simple lint run first.

gotcha Integrity rule may produce false positives if packages are from custom registries without standard integrity fields. ↓

fix Add exclusions for known non-standard packages or disable integrity if using private registries without hashes.

deprecated Node.js versions below ^22.21 || ^24.11 || >=25.2 are not supported. ↓

fix Upgrade Node.js to >=22.21, >=24.11, or >=25.2.

Install

npm install eslint-plugin-lockfile

yarn add eslint-plugin-lockfile

pnpm add eslint-plugin-lockfile

Imports

lockfile

wrong

const lockfile = require('eslint-plugin-lockfile')

correct

import lockfile from 'eslint-plugin-lockfile'

ESM-only default export; CommonJS require is not supported

lockfile.configs.recommended

wrong

import { configs } from 'eslint-plugin-lockfile'

correct

import lockfile from 'eslint-plugin-lockfile'; ... lockfile.configs.recommended

configs is not a named export; access via default import

rules

wrong

import { rules } from 'eslint-plugin-lockfile'

correct

import lockfile from 'eslint-plugin-lockfile'; lockfile.rules['lockfile/flavor']

rules are not named exports; access via plugin object

Quickstart

Shows full flat config setup with all rules enabled and linting a lockfile.

// Install
npm install eslint-plugin-lockfile --save-dev

// eslint.config.js
import lockfile from 'eslint-plugin-lockfile';

export default [
  lockfile.configs.recommended,
  {
    files: ['**/package-lock.json', '**/yarn.lock', '**/pnpm-lock.yaml', '**/bun.lock', '**/bun.lockb', '**/vlt-lock.json'],
    plugins: { lockfile },
    rules: {
      'lockfile/flavor': ['error', 'npm'],
      'lockfile/version': 'error',
      'lockfile/integrity': 'error',
      'lockfile/registry': 'error',
      'lockfile/non-registry-specifiers': 'warn',
      'lockfile/binary-conflicts': 'error',
    },
  },
];

// Lint lockfiles
npx eslint '**/package-lock.json'