A tool to lint npm's package-lock.json files at a basic level since they're impossible to review manually.
$ package-lock-lint /my/package-lock.json
Current checks:
* Matches overall schema
* Dependencies resolve to valid URLs (catches T278857)
* Dependencies are downloaded over secure channels (HTTPS or SSH)
* Package - is not depended upon (typo)
See T242058: Add some form of static analysis for package-lock.json for discussion and inspiration that let to this tool.
(C) 2021 Kunal Mehta, under the GPL v3 or any later version.