BARMPlus

BARMPlus / locklens

Public

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

18
2
100% credibility
Found Apr 22, 2026 at 18 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
TypeScript
AI Summary

Locklens audits project lockfiles for security vulnerabilities in local directories or remote repositories, producing reports in text or structured formats with support for multiple languages.

How It Works

1
🔍 Discover Locklens

You hear about a helpful tool that checks your project's ingredient list for safety issues, keeping things secure without hassle.

2
📂 Pick Your Project

Choose whether to scan a project folder on your computer or share a web link to one online.

3
Select Scan Path
🏠
Local Folder

Point to a folder on your own machine full of project files.

🌐
Online Link

Paste a simple web address to a shared project repository.

4
Start the Safety Check

Hit go and watch it quietly review everything for hidden dangers, feeling relieved it's handling the details.

5
📋 Review Your Report

Get a clear, easy-to-read summary in your preferred language, sorted by risk level.

Stay Secure

Now you know exactly what risks exist and can fix them confidently, with your project safer than ever.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 18 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is locklens?

locklens audits npm, yarn, and pnpm lockfiles to spot vulnerabilities matching your exact dependency state, via a TypeScript CLI, MCP server for AI tools, or skill mode. Run `npx locklens --source ./` locally or hit remote Git repos like GitHub or GitLab with `npx locklens --source https://github.com/user/repo` for instant npm audit reports. It skips dev deps with `--skip-dev`, filters by threshold like `--threshold high`, and outputs JSON or bilingual text.

Why is it gaining traction?

Unlike basic `npm audit`, it audits remote repos without full clones—public or private via SSH keys or GitLab tokens—delivering npm audit reports online for GitHub audit trails or CI checks. MCP stdio mode hooks into LLM workflows for automated package audits, and yarn/pnpm support fixes gaps where `npm audit fix` does nothing. Devs love the zero-install npx flow and clean JSON for scripting github audit logs or npm audit html exports.

Who should use this?

Security engineers scanning npm packages in GitHub repos or GitHub Actions without local setup. DevOps teams auditing lockfiles in monorepos or private GitLab instances for compliance. Frontend leads generating npm audit reports pre-merge, especially when `npm audit fix not working` hits yarn.lock quirks.

Verdict

Try it for quick remote lockfile audits—solid CLI and MCP make it practical despite 18 stars and 1.0% credibility score signaling early maturity. Docs are bilingual and thorough, but watch for edge cases in private self-hosted GitLab; MIT license invites contributions.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.