npm manifest with no lockfile
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
package.json exists with no package-lock.json, yarn.lock, pnpm-lock.yaml, or npm-shrinkwrap.json in the same directory, so npm install resolves fresh versions every time.
Why it matters
A package.json with no package-lock.json/yarn.lock/pnpm-lock.yaml means every npm install resolves dependency versions fresh against whatever the registry currently has, within whatever range each package.json entry allows. Two installs on two different days -- or two different machines on the same day -- can end up with different actual code running, which makes bugs hard to reproduce and means a compromised or broken transitive release can slip in without any change to your own repository.
How to fix it
Run npm install (or yarn/pnpm install) once, commit the generated lockfile, and keep it committed going forward. CI should install with --frozen-lockfile / npm ci so a stale lockfile fails the build loudly instead of silently drifting.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo