lockfile-lint-api

5.9.2 verified Fri May 01 auth: no javascript

Programmatic API for linting npm or yarn lockfiles to detect security and policy issues. Current stable version is 5.9.2, released as part of the lockfile-lint monorepo. It provides validators for HTTPS scheme, allowed hosts, package name consistency, URI schemes, and integrity hash types. Outputs structured success/error objects. Requires Node >=16.0.0.

Common errors

error Error: Cannot find module 'lockfile-lint-api' ↓

cause Package not installed or incorrect import path.

fix

Run 'npm install lockfile-lint-api' and ensure import path is correct.

error TypeError: validator.validate is not a function ↓

cause Using an invalid validator object or method name.

fix

Check that you instantiated the validator correctly and are calling the appropriate method (e.g., validator.validate()).

Warnings

breaking Requires Node >=16.0.0 as of version 5.0.0 ↓

fix Upgrade Node.js to version 16 or later.

deprecated The 'ValidateScheme' validator is being deprecated in favor of 'ValidateHttps' ↓

fix Use ValidateHttps instead of ValidateScheme.

gotcha Validators skip packages without a 'resolved' field (e.g., local filesystem packages). ↓

fix Ensure packages have a 'resolved' field if you want them validated.

Install

npm install lockfile-lint-api

yarn add lockfile-lint-api

pnpm add lockfile-lint-api

Imports

ValidateHost

wrong

const { ValidateHost } = require('lockfile-lint-api')

correct

import { ValidateHost } from 'lockfile-lint-api'

ESM imports are supported; CommonJS require also works.

ValidateHttps

wrong

import ValidateHttps from 'lockfile-lint-api'

correct

import { ValidateHttps } from 'lockfile-lint-api'

ValidateHttps is a named export, not default.

ParseLockfile
```
import { ParseLockfile } from 'lockfile-lint-api'
```
Used to parse lockfile content before validation.

Quickstart

Parses a package-lock.json file and validates that all packages are hosted on the allowed 'npm' host.

import { ParseLockfile, ValidateHost } from 'lockfile-lint-api';
import fs from 'fs';

const lockfilePath = 'package-lock.json';
const lockfileContent = fs.readFileSync(lockfilePath, 'utf8');
const parser = new ParseLockfile(lockfileContent);
const lockfile = parser.parse();

const validator = new ValidateHost({ packages: lockfile.object });
try {
  const result = validator.validate(['npm']);
  console.log(result.type === 'success' ? 'Valid' : 'Invalid');
} catch (err) {
  console.error('Validation error:', err.message);
}