当前位置：文江博客 Node Package Readme @43081j/lockcheck 中文文档教程

@43081j/lockcheck 中文文档教程

发布于 4年前浏览 21 项目主页更新于 3年前

lockcheck

一个用于分析 package-lock.json 文件潜在问题的小工具，不一致和安全问题。

Install

$ npm i -D @43081j/lockcheck

Use

$ npx lockcheck

Options

  -d, --dir <path>  Path to directory containing lock file. (default: ".")
  --diff [commit]   Enable diff mode on the specified gitcommit (default is
                    against unchanged file in current branch)
  -v, --verbose     Verbose output
  -h, --help        output usage information

Validators

lockcheck 将分析以下锁定文件：

不安全的 URI - 任何 http URI 都被认为是不安全的，应该被替换与安全等价物。

重复版本 - 具有不同的单个包多次出现 URL 是一个可能错误配置的锁定文件的标志。

Manifest inconsistencies - 包存在于锁文件中但可能不匹配/满足 package.json 中的相应条目配置错误。

注册表不一致 - 锁定文件中未限定范围的包应该全部有相同的注册表。但是，具有作用域的包是有效的使用单独的注册表。

Diff mode

你可以像这样区分两个锁文件：

$ npx lockcheck --diff

这将尝试使用 git 来比较锁磁盘上的文件和 git 中的原始锁定文件（假设它们是有区别的）。

或者，您可以将锁定文件通过管道传输到 lockcheck 中以比较对象：

$ git show :package-lock.json | npx lockcheck --diff

或者你可以指定一个 commit-ish：

$ npx lockcheck --diff master

License

MIT

原文

lockcheck

A tiny utility to analyze package-lock.json files for potential problems, inconsistencies and security issues.

Install

$ npm i -D @43081j/lockcheck

Use

$ npx lockcheck

Options

  -d, --dir <path>  Path to directory containing lock file. (default: ".")
  --diff [commit]   Enable diff mode on the specified gitcommit (default is
                    against unchanged file in current branch)
  -v, --verbose     Verbose output
  -h, --help        output usage information

Validators

lockcheck will analyze lock files for the following:

Insecure URIs - Any http URIs are considered unsafe and should be replaced with secure equivalents.

Duplicate versions - Multiple occurrences of a single package with different URLs is a sign of a possibly misconfigured lock file.

Manifest inconsistencies - Packages which exist in the lock file but do not match/satisfy the corresponding entry in package.json are likely misconfigured.

Registry inconsistencies - Unscoped packages in a lock file should all have the same registry. It is valid, however, to have scoped packages use a separate registry.

Diff mode

You can diff two lock files like so:

$ npx lockcheck --diff

This will attempt to use git in order to compare the lock file on disk and the original lock file in git (assuming there is a difference).

Alternatively, you can pipe a lock file into lockcheck to compare against:

$ git show :package-lock.json | npx lockcheck --diff

Or you can specify a commit-ish:

$ npx lockcheck --diff master

License

MIT

友情链接

文江博客

@43081j/lockcheck 中文文档教程

lockcheck

Install

Use

Options

Validators

Diff mode

License

lockcheck

Install

Use

Options

Validators

Diff mode

License

你可能也喜欢

友情链接