{"id":13451802,"url":"https://github.com/lirantal/lockfile-lint","last_synced_at":"2025-05-14T10:08:04.793Z","repository":{"id":34915967,"uuid":"189734318","full_name":"lirantal/lockfile-lint","owner":"lirantal","description":"Lint an npm or yarn lockfile to analyze and detect security issues","archived":false,"fork":false,"pushed_at":"2024-09-12T17:53:24.000Z","size":1162,"stargazers_count":785,"open_issues_count":1,"forks_count":35,"subscribers_count":9,"default_branch":"main","last_synced_at":"2024-10-29T15:18:11.572Z","etag":null,"topics":["hacktoberfest","lint","linter","lockfile","lockfiles","nodejs","npm","yarn"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lirantal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-01T13:11:44.000Z","updated_at":"2024-10-26T00:36:58.000Z","dependencies_parsed_at":"2024-01-06T09:59:25.967Z","dependency_job_id":"2e473f85-202d-4ad7-9f2e-f583abc0af2d","html_url":"https://github.com/lirantal/lockfile-lint","commit_stats":{"total_commits":276,"total_committers":36,"mean_commits":7.666666666666667,"dds":0.5217391304347826,"last_synced_commit":"89b5cad028df4d77bab2b73ac93bc61e392668ab"},"previous_names":[],"tags_count":138,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Flockfile-lint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Flockfile-lint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Flockfile-lint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Flockfile-lint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lirantal","download_url":"https://codeload.github.com/lirantal/lockfile-lint/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247954018,"owners_count":21024140,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","lint","linter","lockfile","lockfiles","nodejs","npm","yarn"],"created_at":"2024-07-31T07:01:03.042Z","updated_at":"2025-04-09T01:23:32.443Z","avatar_url":"https://github.com/lirantal.png","language":"JavaScript","funding_links":[],"categories":["Packages","JavaScript","Point-of-use validations","Static Code Analysis","Linters","npm","Other","4. Prevent npm lockfile injection"],"sub_categories":["Other","Vulnerability information exchange","npm","Bun lockfile linting"],"readme":"\u003cp align=\"center\"\u003e\u003ch1 align=\"center\"\u003e\n  lockfile linting 🌈\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  lint lockfiles for improved security and trust policies\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/lirantal/lockfile-lint/actions/workflows/ci.yml/badge.svg\" alt=\"lockfile-lint main CI\"\u003e\n  \u003ca href=\"https://codecov.io/gh/lirantal/lockfile-lint\" \u003e \n   \u003cimg src=\"https://codecov.io/gh/lirantal/lockfile-lint/graph/badge.svg?token=P36VJa7ksa\"/\u003e \n   \u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.org/package/lockfile-lint-api\"\u003e\u003cimg src=\"https://badgen.net/npm/license/lockfile-lint-api\" alt=\"license\"/\u003e\u003c/a\u003e\n  \u003ca href=\"./SECURITY.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg\" alt=\"Security Responsible Disclosure\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/lirantal/lockfile-lint#usage\"\u003e\u003cimg src=\"https://badgen.net/badge/npx/lockfile-lint%20--path%20yarn.lock%20--type%20yarn%20--validate-https%20--allowed-hosts%20npm/blue?icon=npm\" alt=\"npx lockfile-lint\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# About\n\nLockfiles are used as trusted whitelist of resources manifest to fetch packages from.\nHowever, keeping track of the changes introduced to lockfiles is not an easy task as they are designed to be consumed by machines 🤖.\n\nWhat happens when someone creates a Pull Request and sneaks a malicious resource package that replaces a real library? 😱\n\nExactly!\nLint your lockfiles to ensure they adhere to pre-defined security policies and mitigate this vector of attack.\n\n**Why is this important?** read: [Why npm lockfiles can be a security blindspot for injecting malicious modules](https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/)\n\n# Learn Node.js Security\n\n\u003cdiv align=\"center\"\u003e\n  \u003cp\u003e\n    \u003ca href=\"https://nodejs-security.com\"\u003e\n      \u003cimg alt=\"Node.js Security\" align=\"center\" src=\"https://img.shields.io/badge/%F0%9F%A6%84-Learn%20Node.js%20Security%E2%86%92-gray.svg?colorA=5734F5\u0026colorB=5734F5\u0026style=flat\" /\u003e\n    \u003c/a\u003e\n  \u003c/p\u003e\n  \n  ![Screenshot 2024-09-12 at 20 08 07](https://github.com/user-attachments/assets/970a97fd-16bd-4b3c-b535-ae7445b52d4c)\n\n  \u003cp\u003e\n    Learn Node.js Secure Coding techniques and best practices from \u003ca href=\"https://www.lirantal.com\"\u003eLiran Tal\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n# Usage\n\nEasily invoked with npx on any project and lint it:\n\n```bash\nnpx lockfile-lint --path yarn.lock --allowed-hosts npm yarn --validate-https\n```\n\nTo lint the npm-shrinkwrap.json file, add the `--type npm` flag:\n\n```bash\nnpx lockfile-lint --path npm-shrinkwrap.json --type npm --allowed-hosts npm yarn --validate-https\n```\n\nIf you get no results, congratulations, the file passes!\n\nIf lockfile-lint detects exceptions to the policies it will report them:\n\n![carbon](https://user-images.githubusercontent.com/316371/59755684-09923200-9291-11e9-9add-6886dfc6689a.png)\n\nRefer to [lockfile-lint](https://github.com/lirantal/lockfile-lint/tree/main/packages/lockfile-lint) for more details on the CLI usage.\n\nYou can use `lockfile-lint` as a standalone CLI tool, or as an API library using the following npm packages:\n\n- [lockfile-lint](https://github.com/lirantal/lockfile-lint/tree/main/packages/lockfile-lint) - a CLI tool that can be easily integrated as a pre-commit hook or part of a CI/build\n- [lockfile-lint-api](https://github.com/lirantal/lockfile-lint/tree/main/packages/lockfile-lint-api) - a library providing a programmatic API\n\n## Security Disclaimer\n\nPlease be advised of the following security disclaimers that are outside of the control of a lockfile linter:\n\nWhen you whitelist all hosts from npmjs, yarnpkg, github or other registries you implicitly convey that you trust all the packages originating from these sources. As such, a malicious package can exist in a registry source that you whitelist. Direct dependencies that you should add to a project should be well vetted before adding such as using a tool like [npq](https://github.com/lirantal/npq).\n\n# References\n\n- [Secure Nodejs Guidelines section on Lockfile Attack](https://securenodejsguidelines.ulisesgascon.com/attacks/lockfile-posioned)\n- [pnpm's lockfile injection #4361](https://github.com/pnpm/pnpm/issues/4361)\n- [yarn's lockfile injection #4136](https://github.com/yarnpkg/berry/discussions/4136)\n\n# FAQ\n\n## What about pnpm support?\n\npnpm doesn't maintain the tarball source of an npm package so unlike yarn, and npm, there's no way to inject an attacker-controlled malicious source file in `pnpm-lock.yaml`. Other vectors that were explored were to inject new packages into the lockfile (that aren't in `package.json`) yet pnpm isn't prone to these malicious attempts and would not install them.\n\nIf you have witnessed a possible attack vector on pnpm's lockfile, please open an issue with reproducible steps.\n\n## How is this different from `npm audit`?\n\n`npm audit` is a tool to audit your dependencies for known vulnerabilities. However, it doesn't address the issue of malicious packages being injected into your lockfile. `lockfile-lint` is a tool that is designed to address this issue.\n\n# Author\n\n**lockfile-lint** © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Flockfile-lint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flirantal%2Flockfile-lint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Flockfile-lint/lists"}