Usage in a monorepo with local packages

[jackdbd]

I have a monorepo with a few packages I manage using npm workspaces. I have a single package-lock.json for the entire monorepo.

I tried to validate my lockfile using this command:

npx lockfile-lint --path package-lock.json --allowed-hosts npm

and it detected no issues.

However, if I validate the lockfile using either one of these command:

npx lockfile-lint --path package-lock.json --allowed-hosts npm --validate-https

npx lockfile-lint --path package-lock.json --allowed-hosts npm --allowed-schemes "https:"

I get detected invalid protocol for package for all my local dependencies, since the protocol is file: instead of https:.

I also tried to run this command:

npx lockfile-lint --path package-lock.json --allowed-hosts npm --allowed-schemes "https:" "file:

and it detects no issues. But if I understand correctly, this would allow the file: protocol to be used for packages external to my monorepo, which of course I don't want.

Is there a way to whitelist my local packages? Or am I using the tool incorrectly?

Possibly related issue: https://github.com/lirantal/lockfile-lint/issues/42

[lirantal]

@jackdbd can you confirm that this has been fixed with latest version of lockfile-lint? we merged a PR that might be relevant to the issue here.

Let me know otherwise and I'll re-open this issue and we'll work on a fix.