DhanushNehru

DhanushNehru / lockcheck

Public

A zero-dependency Node.js CLI tool that scans package-lock.json for suspicious patterns that indicate supply chain attacks.

www.npmjs.compackage@dhanushnehrulockcheck actions cybersecurity cybersecurity-projects cybersecurity-tools github
10
2
100% credibility
Found Apr 10, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
JavaScript
AI Summary

lockcheck scans project lock files for suspicious dependency changes like new packages, typosquats, and version anomalies to detect potential supply chain attacks.

How It Works

1
🔍 Discover lockcheck

You learn about a handy safety tool that watches for sneaky changes in your app's building blocks to keep things secure.

2
📁 Open your app folder

Go to the folder holding your project on your computer.

3
🚀 Run the first safety check

Start the quick scan, and it captures your current setup as a trusted baseline.

4
Add new features later

Bring in fresh tools or update your app's pieces as you build.

5
🔍 Scan again for changes

Run the check once more to spot any new or odd additions that might be risky.

6
⚠️ Review the alerts

See clear warnings about suspicious look-alikes, brand-new items, or weird shifts.

🛡️ Your project is safe

With issues flagged and fixed, your app stays protected from hidden threats.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is lockcheck?

Lockcheck is a zero-dependency Node.js CLI tool that scans your package-lock.json for suspicious patterns indicating supply chain attacks, like new dependencies, version jumps, or typosquats. Run `npx @dhanushnehru/lockcheck` to diff against a baseline snapshot it creates on first use, flagging issues in a clean terminal report or JSON for CI. It catches proactive risks that npm audit misses, such as fresh packages with low downloads or install scripts.

Why is it gaining traction?

Unlike npm audit's CVE focus, lockcheck spots zero-day supply chain threats through snapshot diffs and heuristics like Levenshtein distance for typosquats or registry changes. Its zero-dependency design means no install risks, and GitHub Action integration lets you block risky PRs automatically with `--strict` mode. Developers hook on the instant value: one command reveals hidden attack vectors in massive lockfile diffs.

Who should use this?

Node.js teams reviewing package-lock.json changes on every PR, especially those hit by Dependabot merges. Security leads in frontend or backend projects wanting offline scans via `--no-network`. CI/CD pipelines needing exit codes to fail builds on warnings about suspicious chain attacks.

Verdict

Grab it for quick supply chain checks in JavaScript projects—solid docs and GitHub Action make it CI-ready despite 10 stars and 1.0% credibility score signaling early maturity. Test on a real repo first; it's promising but needs more battle-testing before production mandates.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.