Closed jackdbd closed 1 year ago
@jackdbd can you confirm that this has been fixed with latest version of lockfile-lint? we merged a PR that might be relevant to the issue here.
Let me know otherwise and I'll re-open this issue and we'll work on a fix.
I have a monorepo with a few packages I manage using npm workspaces. I have a single
package-lock.json
for the entire monorepo.I tried to validate my lockfile using this command:
and it detected no issues.
However, if I validate the lockfile using either one of these command:
I get
detected invalid protocol for package
for all my local dependencies, since the protocol isfile:
instead ofhttps:
.I also tried to run this command:
and it detects no issues. But if I understand correctly, this would allow the
file:
protocol to be used for packages external to my monorepo, which of course I don't want.Is there a way to whitelist my local packages? Or am I using the tool incorrectly?
Possibly related issue: https://github.com/lirantal/lockfile-lint/issues/42