{"id":49182907,"url":"https://github.com/tartinerlabs/lockfile-integrity","last_synced_at":"2026-04-23T02:04:42.484Z","repository":{"id":349112301,"uuid":"1201106961","full_name":"tartinerlabs/lockfile-integrity","owner":"tartinerlabs","description":"Detects lockfile changes without corresponding package.json modifications — a supply chain tamper signal","archived":false,"fork":false,"pushed_at":"2026-04-04T08:50:50.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-04T10:14:14.547Z","etag":null,"topics":["bun","github-actions","lockfile","npm","pnpm","security","supply-chain-security","yarn"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/lockfile-integrity-check","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tartinerlabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-04T08:10:59.000Z","updated_at":"2026-04-04T08:53:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tartinerlabs/lockfile-integrity","commit_stats":null,"previous_names":["tartinerlabs/lockfile-integrity"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/tartinerlabs/lockfile-integrity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tartinerlabs%2Flockfile-integrity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tartinerlabs%2Flockfile-integrity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tartinerlabs%2Flockfile-integrity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tartinerlabs%2Flockfile-integrity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tartinerlabs","download_url":"https://codeload.github.com/tartinerlabs/lockfile-integrity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tartinerlabs%2Flockfile-integrity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32162614,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T17:06:48.269Z","status":"online","status_checked_at":"2026-04-23T02:00:06.710Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bun","github-actions","lockfile","npm","pnpm","security","supply-chain-security","yarn"],"created_at":"2026-04-23T02:04:21.347Z","updated_at":"2026-04-23T02:04:42.470Z","avatar_url":"https://github.com/tartinerlabs.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Lockfile Integrity Check\n\n**Your lockfile changed, but `package.json` didn't. Why?**\n\nA zero dependency GitHub Action that catches suspicious lockfile modifications in pull requests, the kind that slip past code review and open the door to supply chain attacks.\n\nSupports `pnpm-lock.yaml`, `package-lock.json`, `yarn.lock`, and `bun.lock`.\n\n## The Problem\n\nLockfile only changes are one of the most overlooked vectors in npm supply chain attacks. An attacker (or a compromised CI step) can inject a malicious package resolution directly into the lockfile. Since lockfile diffs are large and noisy, reviewers rarely scrutinize them line by line.\n\nThis action makes that invisible change visible and blocks the PR until someone explains it.\n\n## How It Works\n\n```\nPR opened\n  |\n  v\n  git diff origin/main...HEAD\n  |\n  |__ lockfile changed?\n  |     |\n  |     |__ package.json / workspace / config also changed?  --\u003e Pass (legitimate dependency update)\n  |     |\n  |     |__ none of those changed?                           --\u003e Fail with annotation (possible tampering)\n  |\n  |__ no lockfile changed?              --\u003e Skip (nothing to check)\n```\n\n## Quick Start\n\n```yaml\nname: Lockfile Integrity\n\non:\n  pull_request:\n    paths:\n      - pnpm-lock.yaml\n      - package-lock.json\n      - yarn.lock\n      - bun.lock\n\npermissions:\n  contents: read\n\njobs:\n  check:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n        with:\n          fetch-depth: 0  # Required: the action diffs against the base branch\n\n      - uses: tartinerlabs/lockfile-integrity@v1\n        with:\n          base-ref: ${{ github.base_ref }}\n```\n\nThat's it. The action auto detects which lockfile(s) changed. No configuration needed.\n\n\u003e **Tip:** For maximum supply chain safety, pin to a specific commit SHA instead of a mutable tag:\n\u003e\n\u003e ```yaml\n\u003e - uses: tartinerlabs/lockfile-integrity@\u003ccommit_sha\u003e  # v1\n\u003e ```\n\u003e\n\u003e Tags can be moved to point at different commits. A SHA pin guarantees you run exactly the code you audited.\n\n### Pin to a Specific Lockfile\n\nIf your repo uses a single package manager, you can be explicit:\n\n```yaml\n- uses: tartinerlabs/lockfile-integrity@v1\n  with:\n    base-ref: ${{ github.base_ref }}\n    lockfile: pnpm-lock.yaml  # or package-lock.json, yarn.lock, bun.lock\n```\n\n### Warn Instead of Fail\n\nUseful for rolling out gradually. Annotates the PR without blocking it:\n\n```yaml\n- uses: tartinerlabs/lockfile-integrity@v1\n  with:\n    base-ref: ${{ github.base_ref }}\n    fail-on-warning: \"false\"\n```\n\n### Use Outputs in Downstream Steps\n\n```yaml\n- uses: tartinerlabs/lockfile-integrity@v1\n  id: integrity\n  with:\n    base-ref: ${{ github.base_ref }}\n    fail-on-warning: \"false\"\n\n- if: steps.integrity.outputs.tampered == 'true'\n  run: echo \"Suspicious lockfiles: ${{ steps.integrity.outputs.lockfiles }}\"\n```\n\n## Inputs\n\n| Input | Required | Default | Description |\n|-------|----------|---------|-------------|\n| `base-ref` | Yes | | Base branch for comparison (e.g. `main`) |\n| `lockfile` | No | _(auto detect)_ | Lockfile to monitor; auto detects from changed files when omitted |\n| `fail-on-warning` | No | `true` | Whether to fail the check or just warn |\n\n## Outputs\n\n| Output | Description |\n|--------|-------------|\n| `tampered` | `\"true\"` if lockfile tampering was detected, `\"false\"` otherwise |\n| `lockfiles` | Space separated list of lockfiles that were modified |\n\n## Requirements\n\nThe checkout step **must** use `fetch-depth: 0` so the action can diff against the base branch. Without it, the git history won't be available and the check will fail.\n\n## FAQ\n\n**Does this catch all supply chain attacks?**\nNo. This catches one specific signal: lockfile only changes. It's a lightweight tripwire, not a full dependency audit. Pair it with tools like `npm audit`, Socket, or Snyk for deeper analysis.\n\n**What if I regenerate my lockfile intentionally?**\nTouch `package.json` in the same PR (even a whitespace change counts) and the check passes. Changes to `pnpm-workspace.yaml`, `.npmrc`, `.yarnrc.yml`, `.yarnrc`, or `bunfig.toml` also count as legitimate triggers. Or use `fail-on-warning: \"false\"` to get a warning annotation instead of a hard failure.\n\n**Does it work with monorepos?**\nYes. The action checks if any `package.json` or workspace file (`pnpm-workspace.yaml`) changed, so lockfile updates driven by workspace or catalog changes pass without false positives.\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftartinerlabs%2Flockfile-integrity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftartinerlabs%2Flockfile-integrity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftartinerlabs%2Flockfile-integrity/lists"}