lockfile-lint

5.0.0 verified Sat Apr 25 auth: no javascript

lockfile-lint is a CLI tool for linting npm and Yarn lockfiles against security policies. Current stable version is 5.0.0 (requires Node >=16), with frequent patch releases. It validates package origins, HTTPS usage, allowed hosts/schemes, and integrates into CI pipelines. Unlike generic linters, it focuses on supply-chain security by enforcing policies on lockfile entries. Maintained by Liran Tal and part of the lockfile-lint project.

Common errors

error Error: lockfile-lint: --version command-line was throwing an error related to glob matching ↓

cause Bug in v4.12.0 with glob patterns in version flag.

fix

Upgrade to v4.12.1 or later.

error TypeError: lockfileLint is not a function ↓

cause Using CommonJS require() with ESM-only version.

fix

Use import lockfileLint from 'lockfile-lint' or dynamic import().

error Error: lockfile-lint: --allowed-schemes and --validate-https cannot be used together ↓

cause Mutually exclusive options.

fix

Choose one: either --allowed-schemes or --validate-https.

error Error: lockfile-lint: --type must be 'npm' or 'yarn' ↓

cause Invalid lockfile type provided.

fix

Use --type npm or --type yarn (or omit for auto-detection).

Warnings

breaking v5.0.0 dropped CommonJS support; use ESM imports only. ↓

fix Convert require() to import or use dynamic import().

gotcha --allowed-schemes and --validate-https are mutually exclusive. ↓

fix Use either --allowed-schemes with specific schemes or --validate-https alone.

gotcha --allowed-urls overrides --allowed-hosts for specific URLs. ↓

fix Ensure policy clarity: if a URL matches --allowed-urls, it bypasses host validation.

deprecated Node <16 support dropped in v5. ↓

fix Upgrade Node to >=16.

gotcha Lockfile type detection may fail for unusual filenames. ↓

fix Always specify --type (yarn or npm) explicitly.

Install

npm install lockfile-lint

yarn add lockfile-lint

pnpm add lockfile-lint

Imports

default

wrong

const lockfileLint = require('lockfile-lint')

correct

import lockfileLint from 'lockfile-lint'

ESM-only since v5; use dynamic import for CommonJS.

lockfileLint

wrong

const { lockfileLint } = require('lockfile-lint')

correct

import { lockfileLint } from 'lockfile-lint'

ESM default export also available as named export.

LockfileLintConfig
```
import type { LockfileLintConfig } from 'lockfile-lint'
```
Type only, requires TypeScript; not available in CJS.

Quickstart

Shows programmatic usage with validation of HTTPS and allowed hosts for npm lockfile.

// Install: npm install --save-dev lockfile-lint
// Run in CI or locally:
import lockfileLint from 'lockfile-lint';
const result = lockfileLint({
  type: 'npm',
  path: './package-lock.json',
  validateHttps: true,
  allowedHosts: ['registry.npmjs.org']
});
console.log(result?.message);
// Or CLI:
// npx lockfile-lint --type npm --path package-lock.json --validate-https --allowed-hosts registry.npmjs.org