npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

fix-lockfile-integrity

v1.5.5

Published

Fix lockfile integrity

Downloads

5,233

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yoavainyoavain

Keywords

securitylocklockfilepackage-lock.jsonnpm-shrinkwrap.jsonintegritysha512sha1

Readme

Fix Lockfile Integrity

Actions Status node types commit license CodeQL fix-lockfile-integrity Known Vulnerabilities codecov Renovate visitors Downloads

Fix sha1 integrity in lock files back to sha512

Features

  • Reverts all sha1 back to sha512 which is more secure
  • Works with both package-lock.json and npm-shrinkwrap.json
  • Works with lockfile version 1 & 2
  • Can be configured to work on multiple paths to support monorepo
  • Works only on file system without touching your version control

Limitations

  • By default, fixes only packages from npm registry registry.npmjs.org. You can change that via configuration file

Installation

Install globally:

npm install -g fix-lockfile-integrity

Or run with npx:

npx fix-lockfile-integrity

Usage

Check local folder for a lockfile (package-lock.json or npm-shrinkwrap.json) and fix any sha1 in it

$ fix-lockfile
Overwriting lock file ./package-lock.json with 10 integrity fixes

Make sure your lock file is in version control and all changes have been committed. This will overwrite your lock file.

To fix a specific file not in the current folder:

$ fix-lockfile <file>

CLI Options

fix-lockfile [file]

Fix lock file integrity

Positionals:
  file  file to fix (default: looks for package-lock.json/npm-shrinkwrap.json in running folder)

Options:
      --version  Show version number                                   [boolean]
  -c, --config   configuration file                                     [string]
  -v, --verbose  verbose logging                                       [boolean]
  -q, --quiet    quiet (suppresses verbose too)                        [boolean]
  -h, --help     Show help                                             [boolean]

Configuration file

Configuration file can be in several formats and are automatically loaded.
Alternatively, you can specify configuration file to load via CLI --config (alias: -c)

TypeScript

.fix-lockfile.ts or fix-lockfile.config.ts

import type { FixLockFileIntegrityConfig } from "fix-lockfile-integrity";

const config: FixLockFileIntegrityConfig = {
    includePaths: ["./", "./packages/a", "./packages/b"],
    lockFileNames: ["package-lock.json"],
    allRegistries: true,
    prettier: {
        useTabs: true,
        endOfLine: "cr"
    }
};

export default config;

JavaScript

.fix-lockfile.js or fix-lockfile.config.js

const config = {
    includePaths: ["./", "./packages/a", "./packages/b"],
    lockFileNames: ["package-lock.json"],
    allRegistries: true,
    prettier: {
        useTabs: true,
        endOfLine: "cr"
    }
};

module.exports = config;

JSON

.fix-lockfile.json or fix-lockfile.config.json

{
    "includePaths": ["./", "./packages/a", "./packages/b"],
    "lockFileNames": ["package-lock.json"],
    "allRegistries": true,
    "prettier": {
        "useTabs": true,
        "endOfLine": "cr"
    }
}

YAML

.fix-lockfile.yaml, fix-lockfile.config.yml, .fix-lockfile.yaml or fix-lockfile.config.yml

includePaths:
    - "./"
    - "./packages/a"
    - "./packages/b"
lockFileNames:
    - package-lock.json
allRegistries: true
prettier:
    useTabs: true
    endOfLine: cr

Configuration in a Lerna monorepo

For root folder and all lerna packages

const { execSync } = require("child_process");
const path = require("path");

const lernaInfoOutput = execSync("lerna list --all --json", { encoding: "utf8" });
const lernaPackages = JSON.parse(lernaInfoOutput).map(p => path.relative(__dirname, p.location));

const config = {
    includePaths: [
        "./",
        ...lernaPackages
    ],
    lockFileNames: [
        "package-lock.json"
    ],
    allRegistries: true
};

module.exports = config;

Configuration options

- includeFiles:     Explicit list of files to fix       (default: none)
- includePaths:     Paths to look for lock files in     (default: ".")
- lockFileNames:    Lock files to look for              (default: ["package-lock.json", "npm-shrinkwrap.json"])
- allRegistries:    Fetch integrity from all registries (default: false)
- registries:       Registries to fetch integrity from (default: ["registry.npmjs.org"])
- prettier:         Overriding prettier config in case needed

Automation

If you want to make sure to avoid those sha1 in your files and avoid unnecessary changes in PRs, you should do one of the following:

1) Add to postinstall

This way it will run after each time you run npm install

{
    "postinstall": "fix-lockfile package-lock.json"
}

2) pre-commit hook

Using husky (or alike) to run as a pre-commit hook

Why?

NPM has known issue of constantly changing integrity property of its lock file. Integrity may change due to plenty of reasons. Some of them are:

  1. npm install done on machine with different OS from one where lock file generated
  2. some package version updated
  3. another version of npm used

Intention of this tool is to prevent such changes and make integrity property secure and reliable.

Report issues

If something doesn't work, please file an issue.