Support mechanism for exceptions on integrity value requirements to the CLI

[ericcornelissen]

Is your feature request related to a problem? Please describe. Per https://github.com/lirantal/lockfile-lint/issues/186#issuecomment-1913340345: I have a project where I use a dependency available only on the GitLab npm registry. This registry only provides SHA1 integrity values and so dependency installed from there are rejected when using the --validate-integrity option. As a result I can't use --validate-integrity to at least enforce strong integrity values for dependencies from other registries.

Describe the solution you'd like Either or both:

• An option to exempt a registry from the integrity value requirement.
• An option to exempt a package from the integrity value requirement.

Describe alternatives you've considered

• An interface where instead of adding exemptions you specify which registries/packages require strong integrity values.

Beyond lockfile-lint:

• Ask GitLab to update their registry. There's an open ticket for that.
• Ask npm to force the use of locally computed integrity values so that stronger algorithms can be used. Haven't investigated this yet.

[lirantal]

Thanks for opening a dedicated issue for this feature request, Eric.

Are you interested in looking into submitting a PR for this, or would you like me to see about sourcing a first time contribution to it from the community?

[ericcornelissen]

Are you interested in looking into submitting a PR for this, or would you like me to see about sourcing a first time contribution to it from the community?

I am interested in contributing but am too busy to do so until at least next weekend, if anyone else wants to get started on this issue before then they should feel free to do so.