ESLint Plugin Package Lock

1.0.0 verified Fri May 01 auth: no javascript

An ESLint plugin to lint package-lock.json files, providing rules such as lock-file-version to enforce a specific lock file version (default v3). It uses eslint-plugin-json-es as a parser for JSON files. The plugin helps maintain compatibility and avoid issues with lock file versions, particularly v2's larger footprint. Currently stable at v1.0.0 with no recent releases; requires ESLint >=7. Ideal for teams wanting to standardize lock file versions in CI/CD pipelines.

Common errors

error Error: Failed to load parser 'eslint-plugin-json-es' declared in 'parser' of config '...' ↓

cause Missing eslint-plugin-json-es dependency.

fix

Run: npm install --save-dev eslint-plugin-json-es

error Parsing error: Unexpected token } in JSON at position 1234 ↓

cause package-lock.json is malformed or the parser is not set correctly.

fix

Ensure the parser is set to 'eslint-plugin-json-es' in the override for package-lock.json.

error Definition for rule 'package-lock/lock-file-version' was not found ↓

cause Plugin is not loaded in the 'plugins' array.

fix

Add 'plugins: ["package-lock"]' to your ESLint config.

Warnings

gotcha The plugin requires eslint-plugin-json-es as a parser for package-lock.json files; forgetting to install it causes parse errors. ↓

fix Install eslint-plugin-json-es: npm install --save-dev eslint-plugin-json-es

gotcha Lock file version rule default is 3, which may break CI if the lock file is version 2. ↓

fix Set the version explicitly in the rule options: ["error", { "version": 2 }]

breaking Plugin is ESM-only from v1.0.0; CommonJS require() may not work with some ESLint versions or bundlers. ↓

fix Use ESLint's 'import' syntax or upgrade ESLint to support ESM configs.

deprecated The 'version' config is not officially deprecated but may be removed in a future major release. ↓

fix Use the 'plugin:package-lock/version' extends with explicit overrides instead.

Install

npm install eslint-plugin-package-lock

yarn add eslint-plugin-package-lock

pnpm add eslint-plugin-package-lock

Imports

plugin
wrong
```
const packageLock = require('eslint-plugin-package-lock')
```
correct
```
module.exports = { plugins: ['package-lock'] }
```
Import the plugin as a string in the 'plugins' array in your ESLint config file. Do not import it as a JavaScript object in CommonJS.
configs
wrong
```
const { configs } = require('eslint-plugin-package-lock')
```
correct
```
import { configs } from 'eslint-plugin-package-lock'
```
Since v1.0.0, the plugin provides configs. Use ESM import; CommonJS require works but is discouraged for consistency.

rules

wrong

const packageLock = require('eslint-plugin-package-lock'); const rules = packageLock.rules

correct

import { rules } from 'eslint-plugin-package-lock'

Access rules via ESM import. CommonJS destructuring works but may fail with bundlers.

Quickstart

Configures ESLint to lint package-lock.json and enforce lock file version 3 using the plugin's recommended config.

// .eslintrc.json
{
    "extends": ["plugin:package-lock/version"],
    "overrides": [
        {
            "files": ["package-lock.json"],
            "parser": "eslint-plugin-json-es",
            "plugins": ["package-lock"],
            "rules": {
                "package-lock/lock-file-version": ["error", { "version": 3 }]
            }
        }
    ]
}

// Then run: eslint package-lock.json