Node.js Lockfile Visualizer
Analyze your package-lock.json to visualize dependencies, find duplicate packages, detect install scripts, and identify potential security issues.
Paste Your package-lock.json
Paste your package-lock.json to analyze dependencies, find duplicates, and detect potential security issues.
Understanding package-lock.json
The package-lock.json file is automatically generated when npm modifies node_modules or package.json. It describes the exact dependency tree that was generated, ensuring reproducible installs across machines.
Lockfile Versions
- Version 1: Legacy format with
dependenciesobject - Version 2: Hybrid format with both
packagesanddependencies - Version 3: Modern format with only
packages(npm 7+)
Security Considerations
Packages with install scripts (preinstall, install,postinstall) can execute arbitrary code during npm install. Review these packages carefully for supply chain security.
Duplicate Packages
When different dependencies require different versions of the same package, npm installs multiple versions. This increases node_modules size and can cause issues with singleton modules. Use npm dedupe to flatten duplicates where possible.
Integrity Hashes
The integrity field contains a SHA-512 hash of the package tarball. npm uses this to verify package integrity and detect tampering. Packages without integrity hashes may have been installed from a registry that doesn't support it.