Back to feed
Dev.to
Dev.to
6/17/2026
Your package-lock.json diff is unreadable. That's a supply-chain problem.

Your package-lock.json diff is unreadable. That's a supply-chain problem.

Short summary

Lockfile diffs contain thousands of reordered lines and hash changes, making supply-chain attacks easy to miss during code review. locksift is a zero-dependency CLI tool that parses package-lock.json and npm lockfiles to show what actually changed: new packages, removed dependencies, version bumps, and downgrades. It integrates into CI/CD with git-diff support and exit-code gating, and runs on both Node.js and Python.

  • New packages flagged for review; transitive dependencies included
  • Version changes and downgrades highlighted for assessment
  • Zero dependencies; dual Node.js/Python builds; integrates with git workflows

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more