Lint an npm or yarn lockfile to analyze and detect security issues
source link: https://github.com/lirantal/lockfile-lint
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
lockfile linting :rainbow:
lint lockfiles for improved security and trust policies
About
Lockfiles are used as trusted whitelist of resources manifest to fetch packages from. However, keeping track of the changes introduced to lockfiles is not an easy task as they are designed to consumed by machines .
What happens when someone creates a Pull Request and sneaks a malicious resource package that replaces a real library? :scream:
Exactly! Lint your lockfiles to ensure they adhere to pre-defined security policies and mitigate this vector of attack.
Usage
Easily invoked with npx on any project and lint it:
npx lockfile-lint --path yarn.lock --allowed-hosts npm yarn --validate-https
If lockfile-lint detects exceptions to the policies it will report them:
Refer to lockfile-lint for more details on the CLI usage.
You can use lockfile-lint as a standalone CLI tool, or as an API library using the following npm packages:
- lockfile-lint - a CLI tool that can be easily integrated as a pre-commit hook or part of a CI/build
- lockfile-lint-api - a library providing a programmatic API
Author
lockfile-lint© Liran Tal , Released under the Apache-2.0 License.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK