@43081j/lockcheck 中文文档教程
lockcheck
一个用于分析 package-lock.json 文件潜在问题的小工具, 不一致和安全问题。
Install
$ npm i -D @43081j/lockcheck
Use
$ npx lockcheck
Options
-d, --dir <path> Path to directory containing lock file. (default: ".")
--diff [commit] Enable diff mode on the specified gitcommit (default is
against unchanged file in current branch)
-v, --verbose Verbose output
-h, --help output usage information
Validators
lockcheck
将分析以下锁定文件:
不安全的 URI - 任何 http
URI 都被认为是不安全的,应该被替换 与安全等价物。
重复版本 - 具有不同的单个包多次出现 URL 是一个可能错误配置的锁定文件的标志。
Manifest inconsistencies - 包存在于锁文件中但 可能不匹配/满足 package.json
中的相应条目 配置错误。
注册表不一致 - 锁定文件中未限定范围的包应该全部 有相同的注册表。 但是,具有作用域的包是有效的 使用单独的注册表。
Diff mode
你可以像这样区分两个锁文件:
$ npx lockcheck --diff
这将尝试使用 git 来比较锁 磁盘上的文件和 git 中的原始锁定文件(假设 它们是有区别的)。
或者,您可以将锁定文件通过管道传输到 lockcheck 中以 比较对象:
$ git show :package-lock.json | npx lockcheck --diff
或者你可以指定一个 commit-ish:
$ npx lockcheck --diff master
License
MIT
lockcheck
A tiny utility to analyze package-lock.json files for potential problems, inconsistencies and security issues.
Install
$ npm i -D @43081j/lockcheck
Use
$ npx lockcheck
Options
-d, --dir <path> Path to directory containing lock file. (default: ".")
--diff [commit] Enable diff mode on the specified gitcommit (default is
against unchanged file in current branch)
-v, --verbose Verbose output
-h, --help output usage information
Validators
lockcheck
will analyze lock files for the following:
Insecure URIs - Any http
URIs are considered unsafe and should be replaced with secure equivalents.
Duplicate versions - Multiple occurrences of a single package with different URLs is a sign of a possibly misconfigured lock file.
Manifest inconsistencies - Packages which exist in the lock file but do not match/satisfy the corresponding entry in package.json
are likely misconfigured.
Registry inconsistencies - Unscoped packages in a lock file should all have the same registry. It is valid, however, to have scoped packages use a separate registry.
Diff mode
You can diff two lock files like so:
$ npx lockcheck --diff
This will attempt to use git in order to compare the lock file on disk and the original lock file in git (assuming there is a difference).
Alternatively, you can pipe a lock file into lockcheck to compare against:
$ git show :package-lock.json | npx lockcheck --diff
Or you can specify a commit-ish:
$ npx lockcheck --diff master
License
MIT