Awesome
Fix Lockfile Integrity
Fix sha1
integrity in lock files back to sha512
Features
- Reverts all
sha1
back tosha512
which is more secure - Works with both package-lock.json and npm-shrinkwrap.json
- Works with lockfile version 1 & 2
- Can be configured to work on multiple paths to support monorepo
- Works only on file system without touching your version control
Limitations
- By default, fixes only packages from npm registry registry.npmjs.org. You can change that via configuration file
Installation
Install globally:
npm install -g fix-lockfile-integrity
Or run with npx:
npx fix-lockfile-integrity
Usage
Check local folder for a lockfile (package-lock.json or npm-shrinkwrap.json) and fix any sha1
in it
$ fix-lockfile
Overwriting lock file ./package-lock.json with 10 integrity fixes
Make sure your lock file is in version control and all changes have been committed. This will overwrite your lock file.
To fix a specific file not in the current folder:
$ fix-lockfile <file>
CLI Options
fix-lockfile [file]
Fix lock file integrity
Positionals:
file file to fix (default: looks for package-lock.json/npm-shrinkwrap.json in running folder)
Options:
--version Show version number [boolean]
-c, --config configuration file [string]
-v, --verbose verbose logging [boolean]
-q, --quiet quiet (suppresses verbose too) [boolean]
-h, --help Show help [boolean]
Configuration file
Configuration file can be in several formats and are automatically loaded.
Alternatively, you can specify configuration file to load via CLI --config
(alias: -c
)
TypeScript
.fix-lockfile.ts
or fix-lockfile.config.ts
import type { FixLockFileIntegrityConfig } from "fix-lockfile-integrity";
const config: FixLockFileIntegrityConfig = {
includePaths: ["./", "./packages/a", "./packages/b"],
lockFileNames: ["package-lock.json"],
allRegistries: true,
prettier: {
useTabs: true,
endOfLine: "cr"
}
};
export default config;
JavaScript
.fix-lockfile.js
or fix-lockfile.config.js
const config = {
includePaths: ["./", "./packages/a", "./packages/b"],
lockFileNames: ["package-lock.json"],
allRegistries: true,
prettier: {
useTabs: true,
endOfLine: "cr"
}
};
module.exports = config;
JSON
.fix-lockfile.json
or fix-lockfile.config.json
{
"includePaths": ["./", "./packages/a", "./packages/b"],
"lockFileNames": ["package-lock.json"],
"allRegistries": true,
"prettier": {
"useTabs": true,
"endOfLine": "cr"
}
}
YAML
.fix-lockfile.yaml
, fix-lockfile.config.yml
, .fix-lockfile.yaml
or fix-lockfile.config.yml
includePaths:
- "./"
- "./packages/a"
- "./packages/b"
lockFileNames:
- package-lock.json
allRegistries: true
prettier:
useTabs: true
endOfLine: cr
Configuration in a Lerna monorepo
For root folder and all lerna packages
const { execSync } = require("child_process");
const path = require("path");
const lernaInfoOutput = execSync("lerna list --all --json", { encoding: "utf8" });
const lernaPackages = JSON.parse(lernaInfoOutput).map(p => path.relative(__dirname, p.location));
const config = {
includePaths: [
"./",
...lernaPackages
],
lockFileNames: [
"package-lock.json"
],
allRegistries: true
};
module.exports = config;
Configuration options
- includeFiles: Explicit list of files to fix (default: none)
- includePaths: Paths to look for lock files in (default: ".")
- lockFileNames: Lock files to look for (default: ["package-lock.json", "npm-shrinkwrap.json"])
- allRegistries: Fetch integrity from all registries (default: false)
- registries: Registries to fetch integrity from (default: ["registry.npmjs.org"])
- prettier: Overriding prettier config in case needed
Automation
If you want to make sure to avoid those sha1
in your files and avoid unnecessary changes in PRs, you should do one of the following:
1) Add to postinstall
This way it will run after each time you run npm install
{
"postinstall": "fix-lockfile package-lock.json"
}
2) pre-commit hook
Using husky (or alike) to run as a pre-commit hook
Why?
NPM has known issue of constantly changing integrity property of its lock file. Integrity may change due to plenty of reasons. Some of them are:
- npm install done on machine with different OS from one where lock file generated
- some package version updated
- another version of npm used
Intention of this tool is to prevent such changes and make integrity property secure and reliable.
Report issues
If something doesn't work, please file an issue.