Will It Vibe?
ARCH-011Medium severity-8 points

Missing lockfile

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

No package-lock.json/yarn.lock/pnpm-lock.yaml was found alongside package.json.

Why it matters

Without a lockfile, every install resolves version ranges fresh, so CI, teammates, and production can each end up with different dependency trees. A transitive package release can break your build overnight with no change on your side, and those failures are painful to trace. The lockfile pins the exact tree so installs are reproducible.

How to fix it

Generate and commit the lockfile for your package manager: npm install writes package-lock.json (npm install --package-lock-only writes it without touching node_modules), yarn install writes yarn.lock, pnpm install writes pnpm-lock.yaml. Commit it, and switch CI installs to npm ci, yarn install --frozen-lockfile, or pnpm install --frozen-lockfile so drift fails loudly instead of silently.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks