check-npm-lockfile 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +80 -0
  2. package/package.json +5 -4
package/README.md ADDED
@@ -0,0 +1,80 @@
1
+ # check-npm-lockfile
2
+
3
+ Detect recently published npm packages in lockfiles for supply chain attack prevention.
4
+
5
+ ## Why?
6
+
7
+ Supply chain attacks often involve publishing malicious packages or compromising existing ones. This tool helps identify packages in your lockfile that were published recently, allowing you to review them before they enter your codebase.
8
+
9
+ ## Installation
10
+
11
+ ```bash
12
+ # Global installation
13
+ npm install -g check-npm-lockfile
14
+
15
+ # Or use with npx (no installation required)
16
+ npx -y check-npm-lockfile
17
+ ```
18
+
19
+ ## Usage
20
+
21
+ ```bash
22
+ # Check current directory (auto-detects lockfile)
23
+ check-npm-lockfile
24
+
25
+ # Check specific lockfile
26
+ check-npm-lockfile package-lock.json
27
+ check-npm-lockfile yarn.lock
28
+ ```
29
+
30
+ ## Options
31
+
32
+ | Option | Description | Default |
33
+ |--------|-------------|---------|
34
+ | `--minimum-release-age <duration>` | Minimum age threshold (e.g., "7 days", "30 days") | "3 days" |
35
+ | `-e, --exclude <packages...>` | Packages to exclude from checking | - |
36
+ | `-f, --format <type>` | Output format: `console` or `json` | "console" |
37
+ | `-c, --concurrency <number>` | Max concurrent API requests | 10 |
38
+ | `--no-exit-code` | Always exit with code 0 | false |
39
+ | `-v, --verbose` | Show verbose output | false |
40
+
41
+ ## Examples
42
+
43
+ ```bash
44
+ # Detect packages published within the last 7 days
45
+ check-npm-lockfile --minimum-release-age "7 days"
46
+
47
+ # Exclude specific packages
48
+ check-npm-lockfile --exclude lodash --exclude react
49
+
50
+ # Output as JSON (useful for CI pipelines)
51
+ check-npm-lockfile --format json
52
+
53
+ # Combine options
54
+ check-npm-lockfile --minimum-release-age "30 days" --format json --verbose
55
+ ```
56
+
57
+ ## Supported Lockfiles
58
+
59
+ - `package-lock.json` (npm v1 and v2+)
60
+ - `yarn.lock` (Yarn v1 and Berry/v2+)
61
+
62
+ ## CI Integration
63
+
64
+ Use in your CI pipeline to block builds containing recently published packages:
65
+
66
+ ```yaml
67
+ # GitHub Actions example
68
+ - name: Check for recently published packages
69
+ run: npx -y check-npm-lockfile --minimum-release-age "7 days"
70
+ ```
71
+
72
+ The command exits with code 1 if recent packages are found (unless `--no-exit-code` is specified).
73
+
74
+ ## Requirements
75
+
76
+ - Node.js >= 22.0.0
77
+
78
+ ## License
79
+
80
+ MIT
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "check-npm-lockfile",
3
- "version": "0.0.1",
3
+ "version": "0.0.3",
4
4
  "description": "Detect recently published npm packages in lockfiles for supply chain attack prevention",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
@@ -9,7 +9,8 @@
9
9
  "check-npm-lockfile": "./dist/cli.js"
10
10
  },
11
11
  "files": [
12
- "dist"
12
+ "dist",
13
+ "README.md"
13
14
  ],
14
15
  "scripts": {
15
16
  "build": "tsup",
@@ -19,7 +20,7 @@
19
20
  "author": "Masahiro Saito",
20
21
  "license": "MIT",
21
22
  "engines": {
22
- "node": ">=22.0.0"
23
+ "node": ">=20.0.0"
23
24
  },
24
25
  "dependencies": {
25
26
  "@yarnpkg/lockfile": "^1.1.0",
@@ -30,7 +31,7 @@
30
31
  "yaml": "^2.7.0"
31
32
  },
32
33
  "devDependencies": {
33
- "@types/node": "^22.10.5",
34
+ "@types/node": "^20.19.27",
34
35
  "tsup": "^8.3.5",
35
36
  "typescript": "^5.7.2"
36
37
  }