Question 1

How to integrate lockfile-lint into GitHub Actions?

Accepted Answer

Add a step in your workflow YAML that runs npx lockfile-lint with appropriate flags, such as --path yarn.lock --allowed-hosts npm. Refer to the lockfile-lint CLI documentation for examples on setting up in CI/CD pipelines.

Question 2

lockfile-lint vs npm audit: which one should I use?

Accepted Answer

Use lockfile-lint to prevent malicious package injections by validating hosts and HTTPS, and npm audit to scan for known vulnerabilities. They address different threats; the README FAQ explains lockfile-lint complements npm audit by covering lockfile-specific risks.

Question 3

Does lockfile-lint work with Yarn 2 or berry?

Accepted Answer

It supports yarn.lock files, but for Yarn 2 (berry), check compatibility as lockfile formats may differ. The README examples use yarn.lock, so it likely works, but verify with the project's issue tracker for any known limitations.

Question 4

Can lockfile-lint detect malicious packages in lockfiles?

Accepted Answer

No, it only checks if packages come from allowed hosts and use HTTPS; it doesn't analyze package content. For detecting malicious code, use tools like npq or Snyk, as mentioned in the security disclaimer.

Question 5

How to configure allowed hosts for a private registry?

Accepted Answer

Use the --allowed-hosts flag with the registry URL, e.g., --allowed-hosts npm myprivateregistry.com. Ensure the registry is trusted, as the tool will whitelist it without further validation of package integrity.

Question 6

Is lockfile-lint necessary for pnpm projects?

Accepted Answer

According to the FAQ, pnpm is less vulnerable to lockfile injection attacks, and support is limited. For pnpm projects, the tool might not add significant value unless specific attack vectors are identified and reported.

lockfile-lint

What is lockfile-lint?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions