New warning idea - linting lockfile dependencies urls

[mbalabash]

There is a lockfile-lint project.
It would be great to add similar feature to warn users if some dependency url in package.lock (or yarn.lock) file has fake url.
Maybe even adopt and use lockfile-lint for it. What do you think?

[fraxken]

We already have kind of similar features with full lock mode:

$ nsecure cwd -f 

see: https://github.com/NodeSecure/scanner/blob/master/src/depWalker.js#L84

I was inspired by lirantal work. I wanted to go further but I never kept digging on the subject.

[fraxken]

But it could be a good idea to have something similar that work with npm Arborist and report more warnings.

For integrity i never really tested it and there is no flag yet. But i guess this could also count as a global warning.

[mbalabash]

Got you. Thanks for response!