{"id":13743150,"url":"https://github.com/yoavain/fix-lockfile-integrity","last_synced_at":"2025-08-09T14:15:27.705Z","repository":{"id":58956706,"uuid":"534521237","full_name":"yoavain/fix-lockfile-integrity","owner":"yoavain","description":"Fix NPM lockfile integrity","archived":false,"fork":false,"pushed_at":"2025-08-05T00:59:59.000Z","size":2313,"stargazers_count":5,"open_issues_count":5,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-05T02:37:58.159Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/fix-lockfile-integrity/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yoavain.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-09-09T06:12:53.000Z","updated_at":"2025-08-05T00:59:08.000Z","dependencies_parsed_at":"2024-01-13T10:12:13.508Z","dependency_job_id":"ea038379-03ce-4d32-9ce2-f2fee28189c6","html_url":"https://github.com/yoavain/fix-lockfile-integrity","commit_stats":{"total_commits":266,"total_committers":3,"mean_commits":88.66666666666667,"dds":0.3872180451127819,"last_synced_commit":"b225d54e07b3e317c4f85bafc50e7fae4338c655"},"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"purl":"pkg:github/yoavain/fix-lockfile-integrity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoavain%2Ffix-lockfile-integrity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoavain%2Ffix-lockfile-integrity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoavain%2Ffix-lockfile-integrity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoavain%2Ffix-lockfile-integrity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yoavain","download_url":"https://codeload.github.com/yoavain/fix-lockfile-integrity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yoavain%2Ffix-lockfile-integrity/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268826550,"owners_count":24313376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-05T02:00:12.334Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T05:00:41.465Z","updated_at":"2025-08-09T14:15:27.649Z","avatar_url":"https://github.com/yoavain.png","language":"TypeScript","funding_links":[],"categories":["Static Code Analysis"],"sub_categories":[],"readme":"![](https://raw.githubusercontent.com/yoavain/fix-lockfile-integrity/main/resources/docs/logo.gif)\n# Fix Lockfile Integrity \n[![Actions Status](https://github.com/yoavain/fix-lockfile-integrity/workflows/Node%20CI/badge.svg)](https://github.com/yoavain/fix-lockfile-integrity/actions)\n![node](https://img.shields.io/node/v/fix-lockfile-integrity.svg)\n![types](https://img.shields.io/npm/types/typescript.svg)\n![commit](https://img.shields.io/github/last-commit/yoavain/fix-lockfile-integrity.svg)\n![license](https://img.shields.io/npm/l/fix-lockfile-integrity.svg)\n[![CodeQL](https://github.com/yoavain/fix-lockfile-integrity/workflows/CodeQL/badge.svg)](https://github.com/yoavain/fix-lockfile-integrity/actions?query=workflow%3ACodeQL)\n[![fix-lockfile-integrity](https://snyk.io/advisor/npm-package/fix-lockfile-integrity/badge.svg)](https://snyk.io/advisor/npm-package/fix-lockfile-integrity)\n[![Known Vulnerabilities](https://snyk.io/test/github/yoavain/fix-lockfile-integrity/badge.svg?targetFile=package.json)](https://snyk.io//test/github/yoavain/fix-lockfile-integrity?targetFile=package.json)\n[![codecov](https://codecov.io/gh/yoavain/fix-lockfile-integrity/branch/main/graph/badge.svg)](https://codecov.io/gh/yoavain/fix-lockfile-integrity)\n[![Renovate](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com)\n![visitors](https://visitor-badge.glitch.me/badge?page_id=yoavain.fix-lockfile-integrity)\n![Downloads](https://img.shields.io/npm/dm/fix-lockfile-integrity.svg)\n\n**Fix `sha1` integrity in lock files back to `sha512`**\n\n## Features\n- Reverts all `sha1` back to `sha512` which is more secure\n- Works with both package-lock.json and npm-shrinkwrap.json\n- Works with lockfile version 1 \u0026 2\n- Can be configured to work on multiple paths to support monorepo \n- Works only on file system without touching your version control\n\n\n## Limitations\n- By default, fixes only packages from npm registry [registry.npmjs.org](https://www.npmjs.com/). You can change that via configuration file\n\n\n## Installation\n\nInstall globally:\n\n```sh\nnpm install -g fix-lockfile-integrity\n```\n\nOr run with [npx](https://docs.npmjs.com/cli/v8/commands/npx):\n\n```sh\nnpx fix-lockfile-integrity\n```\n\n## Usage\n\nCheck local folder for a lockfile (package-lock.json or npm-shrinkwrap.json) and fix any `sha1` in it\n\n```sh\n$ fix-lockfile\nOverwriting lock file ./package-lock.json with 10 integrity fixes\n```\n\n\u003e **Make sure your lock file is in version control and all changes have been committed. This _will_ overwrite your lock file.**\n\nTo fix a specific file not in the current folder:\n\n```sh\n$ fix-lockfile \u003cfile\u003e\n```\n\n## CLI Options\n```\nfix-lockfile [file]\n\nFix lock file integrity\n\nPositionals:\n  file  file to fix (default: looks for package-lock.json/npm-shrinkwrap.json in running folder)\n\nOptions:\n      --version  Show version number                                   [boolean]\n  -c, --config   configuration file                                     [string]\n  -v, --verbose  verbose logging                                       [boolean]\n  -q, --quiet    quiet (suppresses verbose too)                        [boolean]\n  -h, --help     Show help                                             [boolean]\n\n```\n\n## Configuration file\n\nConfiguration file can be in several formats and are automatically loaded.  \nAlternatively, you can specify configuration file to load via CLI `--config` (alias: `-c`) \n\n### TypeScript\n\n`.fix-lockfile.ts` or ` fix-lockfile.config.ts`\n\n```ts\nimport type { FixLockFileIntegrityConfig } from \"fix-lockfile-integrity\";\n\nconst config: FixLockFileIntegrityConfig = {\n    includePaths: [\"./\", \"./packages/a\", \"./packages/b\"],\n    lockFileNames: [\"package-lock.json\"],\n    allRegistries: true,\n    prettier: {\n        useTabs: true,\n        endOfLine: \"cr\"\n    }\n};\n\nexport default config;\n```\n\n### JavaScript\n\n`.fix-lockfile.js` or ` fix-lockfile.config.js`\n\n```js\nconst config = {\n    includePaths: [\"./\", \"./packages/a\", \"./packages/b\"],\n    lockFileNames: [\"package-lock.json\"],\n    allRegistries: true,\n    prettier: {\n        useTabs: true,\n        endOfLine: \"cr\"\n    }\n};\n\nmodule.exports = config;\n```\n\n### JSON\n\n`.fix-lockfile.json` or ` fix-lockfile.config.json`\n\n```json\n{\n    \"includePaths\": [\"./\", \"./packages/a\", \"./packages/b\"],\n    \"lockFileNames\": [\"package-lock.json\"],\n    \"allRegistries\": true,\n    \"prettier\": {\n        \"useTabs\": true,\n        \"endOfLine\": \"cr\"\n    }\n}\n```\n\n### YAML\n\n`.fix-lockfile.yaml`, ` fix-lockfile.config.yml`, `.fix-lockfile.yaml` or ` fix-lockfile.config.yml`\n\n```yaml\nincludePaths:\n    - \"./\"\n    - \"./packages/a\"\n    - \"./packages/b\"\nlockFileNames:\n    - package-lock.json\nallRegistries: true\nprettier:\n    useTabs: true\n    endOfLine: cr\n```\n\n### Configuration in a Lerna monorepo\n\nFor root folder and all lerna packages\n\n```js\nconst { execSync } = require(\"child_process\");\nconst path = require(\"path\");\n\nconst lernaInfoOutput = execSync(\"lerna list --all --json\", { encoding: \"utf8\" });\nconst lernaPackages = JSON.parse(lernaInfoOutput).map(p =\u003e path.relative(__dirname, p.location));\n\nconst config = {\n    includePaths: [\n        \"./\",\n        ...lernaPackages\n    ],\n    lockFileNames: [\n        \"package-lock.json\"\n    ],\n    allRegistries: true\n};\n\nmodule.exports = config;\n```\n\n### Configuration options\n```\n- includeFiles:     Explicit list of files to fix       (default: none)\n- includePaths:     Paths to look for lock files in     (default: \".\")\n- lockFileNames:    Lock files to look for              (default: [\"package-lock.json\", \"npm-shrinkwrap.json\"])\n- allRegistries:    Fetch integrity from all registries (default: false)\n- registries:       Registries to fetch integrity from (default: [\"registry.npmjs.org\"])\n- prettier:         Overriding prettier config in case needed\n```\n\n## Automation\n\nIf you want to make sure to avoid those `sha1` in your files and avoid unnecessary changes in PRs, you should do one of the following:\n\n#### 1) Add to postinstall\nThis way it will run after each time you run `npm install`\n```json\n{\n    \"postinstall\": \"fix-lockfile package-lock.json\"\n}\n```\n\n#### 2) pre-commit hook\nUsing husky (or alike) to run as a pre-commit hook\n\n\n## Why?\n\nNPM has known issue of constantly changing integrity property of its lock file. Integrity may change due to plenty of reasons. Some of them are:\n\n1. npm install done on machine with different OS from one where lock file generated\n2. some package version updated\n3. another version of npm used\n\nIntention of this tool is to prevent such changes and make integrity property secure and reliable.\n\n\n## Report issues\n\nIf something doesn't work, please [file an issue](https://github.com/yoavain/fix-lockfile-integrity/issues/new).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyoavain%2Ffix-lockfile-integrity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyoavain%2Ffix-lockfile-integrity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyoavain%2Ffix-lockfile-integrity/lists"}