![](https://raw.githubusercontent.com/yoavain/fix-lockfile-integrity/main/resources/docs/logo.gif)

Fix Lockfile Integrity

![Actions Status](https://github.com/yoavain/fix-lockfile-integrity/actions)
!node
!types
!commit
!license
![CodeQL](https://github.com/yoavain/fix-lockfile-integrity/actions?query=workflow%3ACodeQL)
![fix-lockfile-integrity](https://snyk.io/advisor/npm-package/fix-lockfile-integrity)
![Known Vulnerabilities](https://snyk.io//test/github/yoavain/fix-lockfile-integrity?targetFile=package.json)
![codecov](https://codecov.io/gh/yoavain/fix-lockfile-integrity)
![Renovate](https://renovatebot.com)
!visitors
!Downloads

Fix sha1 integrity in lock files back to sha512

Features

- Reverts all sha1 back to sha512 which is more secure
- Works with both package-lock.json and npm-shrinkwrap.json
- Works with lockfile version 1 & 2
- Can be configured to work on multiple paths to support monorepo
- Works only on file system without touching your version control

Limitations

- By default, fixes only packages from npm registry registry.npmjs.org. You can change that via configuration file

Installation

Install globally:

``

sh

npm install -g fix-lockfile-integrity





Or run with npx:

sh

npx fix-lockfile-integrity





Usage



Check local folder for a lockfile (package-lock.json or npm-shrinkwrap.json) and fix any

sha1

 in it

sh

$ fix-lockfile

Overwriting lock file ./package-lock.json with 10 integrity fixes





> Make sure your lock file is in version control and all changes have been committed. This _will_ overwrite your lock file.



To fix a specific file not in the current folder:

sh

$ fix-lockfile





CLI Options



fix-lockfile [file]



Fix lock file integrity



Positionals:

  file  file to fix (default: looks for package-lock.json/npm-shrinkwrap.json in running folder)



Options:

      --version  Show version number                                   [boolean]

  -c, --config   configuration file                                     [string]

  -v, --verbose  verbose logging                                       [boolean]

  -q, --quiet    quiet (suppresses verbose too)                        [boolean]

  -h, --help     Show help                                             [boolean]





Configuration file



Configuration file can be in several formats and are automatically loaded.  

Alternatively, you can specify configuration file to load via CLI

--config (alias: -c

) 



$3

.fix-lockfile.ts or fix-lockfile.config.ts

ts

import type { FixLockFileIntegrityConfig } from "fix-lockfile-integrity";



const config: FixLockFileIntegrityConfig = {

    includePaths: ["./", "./packages/a", "./packages/b"],

    lockFileNames: ["package-lock.json"],

    allRegistries: true,

    prettier: {

        useTabs: true,

        endOfLine: "cr"

    }

};



export default config;

$3

.fix-lockfile.js or fix-lockfile.config.js

js

const config = {

    includePaths: ["./", "./packages/a", "./packages/b"],

    lockFileNames: ["package-lock.json"],

    allRegistries: true,

    prettier: {

        useTabs: true,

        endOfLine: "cr"

    }

};



module.exports = config;

$3

.fix-lockfile.json or fix-lockfile.config.json

json

{

    "includePaths": ["./", "./packages/a", "./packages/b"],

    "lockFileNames": ["package-lock.json"],

    "allRegistries": true,

    "prettier": {

        "useTabs": true,

        "endOfLine": "cr"

    }

}

$3

.fix-lockfile.yaml, fix-lockfile.config.yml, .fix-lockfile.yaml or fix-lockfile.config.yml

yaml

includePaths:

    - "./"

    - "./packages/a"

    - "./packages/b"

lockFileNames:

    - package-lock.json

allRegistries: true

prettier:

    useTabs: true

    endOfLine: cr





$3



For root folder and all lerna packages

js

const { execSync } = require("child_process");

const path = require("path");



const lernaInfoOutput = execSync("lerna list --all --json", { encoding: "utf8" });

const lernaPackages = JSON.parse(lernaInfoOutput).map(p => path.relative(__dirname, p.location));



const config = {

    includePaths: [

        "./",

        ...lernaPackages

    ],

    lockFileNames: [

        "package-lock.json"

    ],

    allRegistries: true

};



module.exports = config;

$3



- includeFiles:     Explicit list of files to fix       (default: none)

- includePaths:     Paths to look for lock files in     (default: ".")

- lockFileNames:    Lock files to look for              (default: ["package-lock.json", "npm-shrinkwrap.json"])

- allRegistries:    Fetch integrity from all registries (default: false)

- registries:       Registries to fetch integrity from (default: ["registry.npmjs.org"])

- prettier:         Overriding prettier config in case needed





Automation



If you want to make sure to avoid those

sha1

 in your files and avoid unnecessary changes in PRs, you should do one of the following:



#### 1) Add to postinstall

This way it will run after each time you run

npm install

json

{

    "postinstall": "fix-lockfile package-lock.json"

}

``

#### 2) pre-commit hook
Using husky (or alike) to run as a pre-commit hook

Why?

NPM has known issue of constantly changing integrity property of its lock file. Integrity may change due to plenty of reasons. Some of them are:

1. npm install done on machine with different OS from one where lock file generated
2. some package version updated
3. another version of npm used

Intention of this tool is to prevent such changes and make integrity property secure and reliable.

Report issues

If something doesn't work, please file an issue.

![](https://raw.githubusercontent.com/yoavain/fix-lockfile-integrity/main/resources/docs/logo.gif)

Fix Lockfile Integrity

Features

Limitations

- By default, fixes only packages from npm registry registry.npmjs.org. You can change that via configuration file

Installation

Install globally:

``

sh

npm install -g fix-lockfile-integrity





Or run with npx:

sh

npx fix-lockfile-integrity





Usage



Check local folder for a lockfile (package-lock.json or npm-shrinkwrap.json) and fix any

sha1

 in it

sh

$ fix-lockfile

Overwriting lock file ./package-lock.json with 10 integrity fixes





> Make sure your lock file is in version control and all changes have been committed. This _will_ overwrite your lock file.



To fix a specific file not in the current folder:

sh

$ fix-lockfile





CLI Options



fix-lockfile [file]



Fix lock file integrity



Positionals:

  file  file to fix (default: looks for package-lock.json/npm-shrinkwrap.json in running folder)



Options:

      --version  Show version number                                   [boolean]

  -c, --config   configuration file                                     [string]

  -v, --verbose  verbose logging                                       [boolean]

  -q, --quiet    quiet (suppresses verbose too)                        [boolean]

  -h, --help     Show help                                             [boolean]





Configuration file



Configuration file can be in several formats and are automatically loaded.  

Alternatively, you can specify configuration file to load via CLI

--config (alias: -c

) 



$3

.fix-lockfile.ts or fix-lockfile.config.ts

ts

import type { FixLockFileIntegrityConfig } from "fix-lockfile-integrity";



const config: FixLockFileIntegrityConfig = {

    includePaths: ["./", "./packages/a", "./packages/b"],

    lockFileNames: ["package-lock.json"],

    allRegistries: true,

    prettier: {

        useTabs: true,

        endOfLine: "cr"

    }

};



export default config;

$3

.fix-lockfile.js or fix-lockfile.config.js

js

const config = {

    includePaths: ["./", "./packages/a", "./packages/b"],

    lockFileNames: ["package-lock.json"],

    allRegistries: true,

    prettier: {

        useTabs: true,

        endOfLine: "cr"

    }

};



module.exports = config;

$3

.fix-lockfile.json or fix-lockfile.config.json

json

{

    "includePaths": ["./", "./packages/a", "./packages/b"],

    "lockFileNames": ["package-lock.json"],

    "allRegistries": true,

    "prettier": {

        "useTabs": true,

        "endOfLine": "cr"

    }

}

$3

.fix-lockfile.yaml, fix-lockfile.config.yml, .fix-lockfile.yaml or fix-lockfile.config.yml

yaml

includePaths:

    - "./"

    - "./packages/a"

    - "./packages/b"

lockFileNames:

    - package-lock.json

allRegistries: true

prettier:

    useTabs: true

    endOfLine: cr





$3



For root folder and all lerna packages

js

const { execSync } = require("child_process");

const path = require("path");



const lernaInfoOutput = execSync("lerna list --all --json", { encoding: "utf8" });

const lernaPackages = JSON.parse(lernaInfoOutput).map(p => path.relative(__dirname, p.location));



const config = {

    includePaths: [

        "./",

        ...lernaPackages

    ],

    lockFileNames: [

        "package-lock.json"

    ],

    allRegistries: true

};



module.exports = config;

$3



- includeFiles:     Explicit list of files to fix       (default: none)

- includePaths:     Paths to look for lock files in     (default: ".")

- lockFileNames:    Lock files to look for              (default: ["package-lock.json", "npm-shrinkwrap.json"])

- allRegistries:    Fetch integrity from all registries (default: false)

- registries:       Registries to fetch integrity from (default: ["registry.npmjs.org"])

- prettier:         Overriding prettier config in case needed





Automation



If you want to make sure to avoid those

sha1

 in your files and avoid unnecessary changes in PRs, you should do one of the following:



#### 1) Add to postinstall

This way it will run after each time you run

npm install

json

{

    "postinstall": "fix-lockfile package-lock.json"

}

``

#### 2) pre-commit hook
Using husky (or alike) to run as a pre-commit hook

Why?

Report issues

If something doesn't work, please file an issue.