Audit a package-lock.json for supply-chain attacks BEFORE npm install. Cross-checks every resolved dependency against the live npm registry: blocks integrity (sha512) mismatches (lockfile poisoning) and not-on-registry entries, and flags new/fresh depende
Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.
Audit a package-lock.json for supply-chain attacks BEFORE npm install. Cross-checks every resolved dependency against the live npm registry: blocks integrity (sha512) mismatches (lockfile poisoning) and not-on-registry entries, and flags new/fresh depende