/pnpm-lock-to-npm-lock

Convert pnpm-lock.yaml to security-scannable package-lock.json

Primary LanguageTypeScriptMIT LicenseMIT

PNPM Lock to NPM Lock

This script is used to convert a pnpm-lock.yaml file to a package-lock.json file for audit scan purposes only.

Successful scanning is accomplished by preserving all dependency sha's for security scanning tools like Prisma, Twistlock, Checkov, etc which support scanning npm's package-lock.json out of the box. This is not intended to be used to convert a project from pnpm to npm.

Overview

To execute this tool script:

# with npx
npx pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>

# otherwise
npm i -g pnpm-lock-to-npm-lock
pnpm-lock-to-npm-lock <path to pnpm-lock.yaml>

Rush monorepos

If running in a Rush monorepo, where the monorepo's pnpm lockfile is held within a config directory, you can execute with a contextual environment variable.

RUNTIME_CONTEXT=RUSH_MONOREPO npx pnpm-lock-to-npm-lock

Support for other monorepos and out-of-the-box repo configurations is not yet implemented, but provision of a proper path to any pnpm-lock.yaml will create a scannable package-lock.json in that same directory.

Contributing

Primarily maintained by Ryan Schumacher (@jrschumacher) & Jake Van Vorhis (@jakedoublev).

We'd love your help maintaining and extending pnpm-lock-to-npm-lock!

To test the tool within this repo: npx . pnpm-lock.yaml

Please update the CHANGELOG.md and follow Semver with any contributions.