lockfile-guardian-mcp

MCPcommunity
v0.1.0lockfile-guardianMITUpdated 11d agonpmGitHub

Audit a package-lock.json for supply-chain attacks BEFORE npm install. Cross-checks every resolved dependency against the live npm registry: blocks integrity (sha512) mismatches (lockfile poisoning) and not-on-registry entries, and flags new/fresh depende

Automatically indexed from public sources. Not yet verified by the developer on Forge.Claim this listing →
11d agoLast update
Package
Authorlockfile-guardian
LicenseMIT
Version0.1.0
Sourcenpm+mcp-registry
Trust Status
F
10/100Untrusted
Listed in Forge index+10/10
Publisher identity verified+0/25
Publisher: run `forge publish` from the package repo to claim ownership
Ed25519 publish signature+0/10
Included automatically when the publisher runs `forge publish`
Domain verification+0/5
Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
CVE scan · not run+0/30
Not yet scanned — package must be on npm
Static analysis · clean+0/20
Not yet scanned — package must be on npm
npm provenance (Sigstore)+0/5
Publish from GitHub Actions with the --provenance flag
Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
StatusCommunity-indexed
PublisherUnverified
SignatureUnsigned
Domain
Provenance
DependenciesNot audited
Tool surface
Security scanNot run
EvalsNone
IndexedJun 22, 2026

Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.

About

Audit a package-lock.json for supply-chain attacks BEFORE npm install. Cross-checks every resolved dependency against the live npm registry: blocks integrity (sha512) mismatches (lockfile poisoning) and not-on-registry entries, and flags new/fresh depende

Keywords
mcpmodel-context-protocolnpmsecuritysupply-chainpackage-locklockfileintegritylockfile-poisoninginstall-scriptpostinstallnode-gypai-agent