npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@dhanushnehru/lockcheck

v1.0.0

Published

Detect malicious dependency diffs in lock files. Catches supply chain attacks before they catch you.

Readme

🔒 lockcheck

Detect malicious dependency diffs in lock files. Catches supply chain attacks before they catch you.

npm version license GitHub stars zero deps Node.js


Every time you run npm install, your lockfile changes. Nobody reviews those diffs. Attackers exploit this by injecting typosquatted, hijacked, or backdoored packages.

lockcheck scans your package-lock.json, diffs it against a saved snapshot, and flags anything suspicious — before it reaches production.

⚡ Quick Start

npx @dhanushnehru/lockcheck

That's it. No install required. No configuration. No dependencies.

🔍 What It Detects

┌────────────────────────────────────────────────────┐
│ 🔒 lockcheck                                       │
│ Supply chain security scanner for lock files       │
└────────────────────────────────────────────────────┘

  🔴 CRITICAL
  ────────────────────────────────────────────────────
  🔴 ev4l-js @1.0.0
    Possible typosquat of "eval-js" (edit distance 1)
    Levenshtein distance: 1

  🔴 lodash @4.99.0
    Integrity hash changed without version change!
    This could indicate the package was republished.

  ⚠️  WARNINGS
  ────────────────────────────────────────────────────
  ⚠️  sketchy-lib @1.0.0
    New dependency added: [email protected]
    (production dependency)

  ⚠️  sketchy-lib @1.0.0
    Published 2 day(s) ago
    New packages should be reviewed carefully.

  ⚠️  sketchy-lib @1.0.0
    Very low download count: 47 weekly downloads
    Low-download packages are higher risk.

  ⚠️  random-helper @2.0.0
    Has install scripts (preinstall/install/postinstall)
    Install scripts can execute arbitrary code.

┌────────────────────────────────────────────────────┐
│  📦 847 packages scanned                           │
│  🆕 3 new dependencies                             │
│  → 12 version changes                              │
├────────────────────────────────────────────────────┤
│  🔴 2 critical                                     │
│  ⚠️  4 warning(s)                                  │
└────────────────────────────────────────────────────┘

🛡️ 6 Security Analyzers

| Analyzer | What It Catches | |----------|----------------| | New Dependencies | Packages added since last scan — the primary attack vector | | Version Jumps | Suspicious semver changes: 4.17.21 → 4.99.0, downgrades | | Typosquat Detection | Names similar to popular packages: 1odash, reqest, epress | | Registry Anomalies | Non-standard registries, registry switches, integrity hash changes | | Install Scripts | Packages with postinstall scripts (primary code execution vector) | | Freshness Checks | Newly published packages with low downloads (via npm registry API) |

📖 Usage

# Scan current directory
npx @dhanushnehru/lockcheck

# Scan a specific project
npx @dhanushnehru/lockcheck ./my-app

# CI/CD mode (JSON output + strict exit codes)
npx @dhanushnehru/lockcheck --json --strict

# Offline mode (skip npm registry checks)
npx @dhanushnehru/lockcheck --no-network

# Show help
npx @dhanushnehru/lockcheck --help

🏗️ How It Works

  1. Parse — Reads your package-lock.json (supports lockfileVersion 1, 2, and 3)
  2. Snapshot — Compares against a saved .lockcheck-snapshot.json baseline
  3. Analyze — Runs 6 independent security analyzers
  4. Report — Outputs findings with severity levels (critical/warning/info)
  5. Exit — Returns code 0 (safe) or 1 (issues found) for CI integration

On first run, lockcheck creates a baseline snapshot. On subsequent runs, it diffs against that baseline to detect changes.

🤖 GitHub Action

Add lockcheck to your CI pipeline to automatically scan every PR:

# .github/workflows/lockcheck.yml
name: Lockfile Security

on:
  pull_request:
    paths:
      - 'package-lock.json'

jobs:
  lockcheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: DhanushNehru/lockcheck@v1
        with:
          strict: true

Or use it directly:

- name: Run lockcheck
  run: npx @dhanushnehru/lockcheck --strict

🔧 Options

| Flag | Description | |------|-------------| | --json | Output results as JSON for CI/CD pipelines | | --strict | Exit with code 1 on warnings (not just criticals) | | --no-network | Skip npm registry API checks (offline mode) | | --help, -h | Show help message | | --version, -v | Show version number |

💡 Exit Codes

| Code | Meaning | |------|---------| | 0 | No critical issues found | | 1 | Critical issues detected (or warnings in --strict mode) | | 2 | Runtime error (missing lockfile, etc.) |

🕵️ Why lockcheck?

The Problem

Supply chain attacks on npm have exploded:

  • Typosquatting — Packages named 1odash, angu1ar, reqest that execute malicious code
  • Package hijacking — Maintainer accounts get compromised, legit packages get backdoored
  • Dependency confusion — Private package names are registered on the public registry
  • Postinstall payloads — Malicious code runs immediately on npm install

What Exists Today

  • npm audit only checks known CVEs — it doesn't catch zero-day supply chain attacks
  • Lock file diffs are thousands of lines that no human reviews
  • CI pipelines auto-merge Dependabot PRs with zero lockfile inspection

What lockcheck Does Differently

  • Proactive detection — Catches suspicious patterns before they become CVEs
  • Zero dependencies — Eats its own dogfood. Nothing to get supply-chain attacked through.
  • Snapshot diffing — Tracks changes over time instead of point-in-time scanning
  • Smart heuristics — Typosquat detection, version jump analysis, registry anomaly detection

🏛️ Architecture

lockcheck/
├── bin/lockcheck.js          # CLI entry point
├── src/
│   ├── index.js              # Scan orchestrator
│   ├── parsers/npm.js        # package-lock.json parser
│   ├── analyzers/            # 6 independent security analyzers
│   ├── reporters/terminal.js # Beautiful terminal output
│   └── utils/                # Colors, semver, levenshtein, registry
├── action.yml                # GitHub Action
└── package.json              # Zero dependencies

🤝 Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

Adding a new analyzer is easy — create a file in src/analyzers/, export a function that returns { findings: [] }, and wire it up in src/index.js.


If lockcheck helped you, give it a ⭐ — it helps others find it!

Built with zero dependencies.