GitHub Community
Replies: 1 comment 4 replies
-
|
There’s no built-in npm feature to validate all package-lock.json URLs before install. you can, however, parse the lock file with a custom script to ensure all resolved links match your configured registry a smart way to catch anything suspicious. |
Beta Was this translation helpful? Give feedback.
-
|
I think it would be a good feature for npm if they could make it built-in. |
Beta Was this translation helpful? Give feedback.
-
|
I completely agree ,having such validation built into npm would significantly improve security and streamline the developer workflow. If you found my suggestion helpful, I’d appreciate it if you could mark it as accepted (✔️) in this discussion to assist others who might have a similar question. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for helping. However, I expect the npm team members to share some thoughts. Sorry that I'm unable to give you the |
Beta Was this translation helpful? Give feedback.
-
|
No worries at all, I appreciate your response Let’s hope the npm team shares their input on this important suggestion. Glad I could contribute to the discussion. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Is it possible to validate registry links in the
package-lock.jsonbefore install?My requirement is to verify that all resolved links originate from the same registry as my local configuration.
It should be helpful to identify those malicious records in the package-lock.json.
Beta Was this translation helpful? Give feedback.
All reactions