lockfile-lint

授权协议 Apache-2.0 License
开发语言 JavaScript
所属分类 Web应用开发、 常用JavaScript包
软件类型 开源软件
地区 不详
投 递 者 蒙胤
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

lockfile linting ��

lint lockfiles for improved security and trust policies

main npx lockfile-lint

About

Lockfiles are used as trusted whitelist of resources manifest to fetch packages from.However, keeping track of the changes introduced to lockfiles is not an easy task as they are designed to be consumed by machines �� .

What happens when someone creates a Pull Request and sneaks a malicious resource package that replaces a real library? ��

Exactly!Lint your lockfiles to ensure they adhere to pre-defined security policies and mitigate this vector of attack.

Why is this important? read: Why npm lockfiles can be a security blindspot for injecting malicious modules

Usage

Easily invoked with npx on any project and lint it:

npx lockfile-lint --path yarn.lock --allowed-hosts npm yarn --validate-https

To lint the npm-shrinkwrap.json file, add the --type npm flag:

npx lockfile-lint --path npm-shrinkwrap.json --type npm --allowed-hosts npm yarn --validate-https

If you get no results, congratulations, the file passes!

If lockfile-lint detects exceptions to the policies it will report them:

carbon

Refer to lockfile-lint for more details on the CLI usage.

You can use lockfile-lint as a standalone CLI tool, or as an API library using the following npm packages:

  • lockfile-lint - a CLI tool that can be easily integrated as a pre-commit hook or part of a CI/build
  • lockfile-lint-api - a library providing a programmatic API

Security Disclaimer

Please be advised of the following security disclaimers that are outside of the control of a lockfile linter:

When you whitelist all hosts from npmjs, yarnpkg, github or other registries you implicitly convey that you trust all the packages originating from these sources. As such, a malicious package can exist in a registry source that you whitelist. Direct dependencies that you should add to a project should be well vetted before adding such as using a tool like npq.

Author

lockfile-lint © Liran Tal, Released under the Apache-2.0 License.

  • PC-lint for C/C++ (NT) Vers. 9.00i, Copyright Gimpel Software 1985-2012       _________________________ MESSAGE GROUP _________________________                  ----- Error Inhibition Options -----   

  • Android Studio 报错信息 FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':plugin_common:lint'. > Lint found errors in the project; aborting build. Fix the issues iden

  • 我们首先来看一下package.json文件里的内容 { "name": "xxxx", "version": "0.1.0", "private": true, "scripts": { "serve": "vue-cli-service serve --port 8081", "build": "vue-cli-service build", "lint

 相关资料
  • The lockfile command isn’t necessary. yarn install will produce a lockfile.

  • ☝️ Important announcement: Greenkeeper will be saying goodbye �� and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io Greenkeeper Lockfile �� ��

  • 在使用 Travis Ci 构建 Hexo 时出现了构件失败的情况,报错信息为 :

  • 问题内容: 我正在尝试使用CLI在Heroku上部署React Web应用程序。但是当我跑步时 从我的项目文件夹中,它抛出错误: 由于使用npm,我做了rm并删除了纱线锁文件。仍然出现相同的错误。现在,当我实际执行rm yarn.lock时,在终端中找不到任何条目。为什么不知道Heroku CLI坚持认为我的目录中仍然有yarn lock文件。 问题答案: 在将其推送到Heroku之前,您是否要回

  • 问题内容: 有些问题的标题相似,但所有问题都与您在构造函数中获得的上下文有关。 有带有项目的RecyclerView和其他带有播放\暂停按钮的视图。 此类允许该视图一次仅播放一个文件。如果正在播放view_1,然后在view_2上按播放,则将播放file_2。 此类中有一个 ImageButton mPlayPauseButton。需要将view_1的 ImageButton 设置为paused_

  • 问题内容: Sonar Lint 2.0,它已连接到我自己的Sonar Qube服务器,插件未报告任何问题。问题是它与我的服务器规则不同步。找到了Java文档中提到的那些内容,但似乎还不是全部。我不知道这些Java规则列表是否仅在未仅连接到任何服务器时才使用。 使用远程服务器时,对使用或同步哪些规则有限制吗? 如果可能的话,我们究竟能做些什么来使其同步。 问题答案: 问题是: SonarQube