Checks the package-lock.json file for insecure http:// links and missing integrity checksums
check-package-lock parses the package-lock.json (and npm-shrinkwrap.json) file and checks that:
- no package is downloaded over an insecure http:// link (any registry, not just registry.npmjs.org)
- every package downloaded over https:// has an integrity checksum, so tampering is detected
To check the package-lock.json file in the current folder:
npm install -g check-package-lock
check-package-lock
To check the package-lock.json file in another folder:
npm install -g check-package-lock
check-package-lock --folder 'nodefolder'
0 = No errors
1 = Errors were founds in the package-lock.json files
2 = package-lock.json was not found
3 = Folder specified does not exists
4 = Folder specified is not a folder
5 = package-lock.json could not be read or is not valid JSON
check-package-lock can be used in CI environments to check your package-lock.json file before merging a pull request