lockwarden drift
Lockfile & version-anomaly detection vs a base ref.
Synopsis
Section titled “Synopsis”npx lockwarden drift [--base <ref>]drift answers: did my lockfile change in ways my manifest doesn’t explain? It compares
the current lockfile against a git ref and flags:
- Resolved version changes not explained by
package.jsonchanges — lockfile-only tampering. - Registry / tarball URL changes — the source of a resolved integrity hash moved.
- Integrity hash changes for an unchanged version — the same version now has different bytes.
- New packages entering via patch/minor bumps of existing dependencies.
| Flag | Default | Meaning |
|---|---|---|
--base <ref> | main | Git ref to compare the lockfile against |
All global flags apply.
Examples
Section titled “Examples”npx lockwarden drift # compare against mainnpx lockwarden drift --base origin/mainnpx lockwarden drift --base v1.4.0 --jsonExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | No anomalies at or above --threshold |
1 | Anomalies at or above --threshold |
2 | Execution error — unknown ref, lockfile missing at the base ref, unparseable lockfile |
A note on provenance
Section titled “A note on provenance”drift deliberately does not treat SLSA provenance as a pass signal. The June 2026
Miasma compromise published Trojanized packages with valid provenance from the victim’s
own hijacked pipeline. Provenance presence is reported as informational context, never as
a green light — version-to-version anomaly is the honest signal.
driftreads git locally; it makes no network calls.- Pair it with
audit --diffin PR review:driftcatches lockfile tampering,audit --diffscores what the changed packages can newly execute.