This script is used to convert a pnpm-lock.yaml file to a package-lock.json file for audit scan purposes only.
Successful scanning is accomplished by preserving all dependency sha's for security scanning tools like
Prisma, Twistlock,
Checkov, etc which support scanning npm's package-lock.json out of the box.
This is not intended to be used to convert a project from pnpm to npm.
To execute this tool script:
# with npx
npx pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>
# otherwise
npm i -g pnpm-lock-to-npm-lock
pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>If running in a Rush monorepo, where the monorepo's pnpm lockfile
is held within a config directory, you can execute with a contextual environment variable.
RUNTIME_CONTEXT=RUSH_MONOREPO npx pnpm-lock-to-npm-lockSupport for other monorepos and out-of-the-box repo configurations is not yet implemented,
but provision of a proper path to any pnpm-lock.yaml will create a scannable
package-lock.json in that same directory.
Primarily maintained by Ryan Schumacher (@jrschumacher) & Jake Van Vorhis (@jakedoublev).
We'd love your help maintaining and extending pnpm-lock-to-npm-lock!
To test the tool within this repo: npx . pnpm-lock.yaml
Please update the CHANGELOG.md and follow Semver with any contributions.