Will It Vibe logoWill It Vibe?
SCA-012Medium severity-8 points

npm manifest with no lockfile

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

package.json exists with no package-lock.json, yarn.lock, pnpm-lock.yaml, or npm-shrinkwrap.json in the same directory, so npm install resolves fresh versions every time.

Why it matters

A package.json with no package-lock.json/yarn.lock/pnpm-lock.yaml means every npm install resolves dependency versions fresh against whatever the registry currently has, within whatever range each package.json entry allows. Two installs on two different days -- or two different machines on the same day -- can end up with different actual code running, which makes bugs hard to reproduce and means a compromised or broken transitive release can slip in without any change to your own repository.

How to fix it

Run npm install (or yarn/pnpm install) once, commit the generated lockfile, and keep it committed going forward. CI should install with --frozen-lockfile / npm ci so a stale lockfile fails the build loudly instead of silently drifting.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks