Dev.to
6/17/2026

Your package-lock.json diff is unreadable. That's a supply-chain problem.
Short summary
Lockfile diffs contain thousands of reordered lines and hash changes, making supply-chain attacks easy to miss during code review. locksift is a zero-dependency CLI tool that parses package-lock.json and npm lockfiles to show what actually changed: new packages, removed dependencies, version bumps, and downgrades. It integrates into CI/CD with git-diff support and exit-code gating, and runs on both Node.js and Python.
- •New packages flagged for review; transitive dependencies included
- •Version changes and downgrades highlighted for assessment
- •Zero dependencies; dual Node.js/Python builds; integrates with git workflows
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



