Skip to content

lockwarden check

Incident triage: report every path by which a package enters the tree.

Terminal window
npx lockwarden check <pkg>@<version> [<pkg>@<version> ...]
npx lockwarden check --incident <incident-id>
npx lockwarden check <pkg> --history

check resolves your query against the lockfile — including all transitive resolutions — and reports every path by which a matching package enters the tree. This is the difference that matters during incidents: teams pinned to ^9 got node-ipc’s payload automatically on their next install, and package.json never showed it.

ArgumentMeaning
queries...Package queries: <pkg>, <pkg>@<version>, or <pkg>@<range>
FlagMeaning
--incident <id>Check against a vendored incident IOC bundle
--historyWalk git history of the lockfile to report exposure windows

All global flags apply.

Terminal window
# Exact version — am I resolving this right now?
npx lockwarden check node-ipc@9.1.6
# Range — everything that could match a compromised line
npx lockwarden check "node-ipc@>=9.1.6 <9.1.7"
# Named incident bundle (see the incidents reference for available ids)
npx lockwarden check --incident shai-hulud-jun26
# Historical exposure: was this repo *ever* resolving a hit, and in
# which commit window? Derived locally from git log — no service needed.
npx lockwarden check axios --history
# CI-friendly machine output
npx lockwarden check --incident axios-mar26 --json --ci
CodeMeaning
0No queried package (or incident package) resolves anywhere in the tree
1At least one match found in the resolved tree
2Execution error (no lockfile, bad query, missing git history for --history)
  • --history needs the lockfile to be tracked in git; it reads git log locally and never contacts a remote.
  • --incident bundles ship vendored inside the npm package — running a check requires zero network. See incident bundles for the list and the LOCKWARDEN_INCIDENT_DIR escape hatch.
  • --json emits a stable machine-readable report of every match and its dependency paths, suitable for piping into other tooling.