check-npm-lockfile 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +80 -0
- package/package.json +3 -2
package/README.md
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# check-npm-lockfile
|
|
2
|
+
|
|
3
|
+
Detect recently published npm packages in lockfiles for supply chain attack prevention.
|
|
4
|
+
|
|
5
|
+
## Why?
|
|
6
|
+
|
|
7
|
+
Supply chain attacks often involve publishing malicious packages or compromising existing ones. This tool helps identify packages in your lockfile that were published recently, allowing you to review them before they enter your codebase.
|
|
8
|
+
|
|
9
|
+
## Installation
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
# Global installation
|
|
13
|
+
npm install -g check-npm-lockfile
|
|
14
|
+
|
|
15
|
+
# Or use with npx (no installation required)
|
|
16
|
+
npx -y check-npm-lockfile
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
## Usage
|
|
20
|
+
|
|
21
|
+
```bash
|
|
22
|
+
# Check current directory (auto-detects lockfile)
|
|
23
|
+
check-npm-lockfile
|
|
24
|
+
|
|
25
|
+
# Check specific lockfile
|
|
26
|
+
check-npm-lockfile package-lock.json
|
|
27
|
+
check-npm-lockfile yarn.lock
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Options
|
|
31
|
+
|
|
32
|
+
| Option | Description | Default |
|
|
33
|
+
|--------|-------------|---------|
|
|
34
|
+
| `--minimum-release-age <duration>` | Minimum age threshold (e.g., "7 days", "30 days") | "3 days" |
|
|
35
|
+
| `-e, --exclude <packages...>` | Packages to exclude from checking | - |
|
|
36
|
+
| `-f, --format <type>` | Output format: `console` or `json` | "console" |
|
|
37
|
+
| `-c, --concurrency <number>` | Max concurrent API requests | 10 |
|
|
38
|
+
| `--no-exit-code` | Always exit with code 0 | false |
|
|
39
|
+
| `-v, --verbose` | Show verbose output | false |
|
|
40
|
+
|
|
41
|
+
## Examples
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
# Detect packages published within the last 7 days
|
|
45
|
+
check-npm-lockfile --minimum-release-age "7 days"
|
|
46
|
+
|
|
47
|
+
# Exclude specific packages
|
|
48
|
+
check-npm-lockfile --exclude lodash --exclude react
|
|
49
|
+
|
|
50
|
+
# Output as JSON (useful for CI pipelines)
|
|
51
|
+
check-npm-lockfile --format json
|
|
52
|
+
|
|
53
|
+
# Combine options
|
|
54
|
+
check-npm-lockfile --minimum-release-age "30 days" --format json --verbose
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
## Supported Lockfiles
|
|
58
|
+
|
|
59
|
+
- `package-lock.json` (npm v1 and v2+)
|
|
60
|
+
- `yarn.lock` (Yarn v1 and Berry/v2+)
|
|
61
|
+
|
|
62
|
+
## CI Integration
|
|
63
|
+
|
|
64
|
+
Use in your CI pipeline to block builds containing recently published packages:
|
|
65
|
+
|
|
66
|
+
```yaml
|
|
67
|
+
# GitHub Actions example
|
|
68
|
+
- name: Check for recently published packages
|
|
69
|
+
run: npx -y check-npm-lockfile --minimum-release-age "7 days"
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
The command exits with code 1 if recent packages are found (unless `--no-exit-code` is specified).
|
|
73
|
+
|
|
74
|
+
## Requirements
|
|
75
|
+
|
|
76
|
+
- Node.js >= 22.0.0
|
|
77
|
+
|
|
78
|
+
## License
|
|
79
|
+
|
|
80
|
+
MIT
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "check-npm-lockfile",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.2",
|
|
4
4
|
"description": "Detect recently published npm packages in lockfiles for supply chain attack prevention",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -9,7 +9,8 @@
|
|
|
9
9
|
"check-npm-lockfile": "./dist/cli.js"
|
|
10
10
|
},
|
|
11
11
|
"files": [
|
|
12
|
-
"dist"
|
|
12
|
+
"dist",
|
|
13
|
+
"README.md"
|
|
13
14
|
],
|
|
14
15
|
"scripts": {
|
|
15
16
|
"build": "tsup",
|