package.json dependency missing from package-lock.json
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A dependency declared in package.json has no matching entry anywhere in the sibling package-lock.json, a sign the lockfile is stale relative to the manifest (only evaluated when package-lock.json is the lockfile in use; yarn.lock/pnpm-lock.yaml are not parsed here).
Why it matters
A dependency declared in package.json with no matching entry anywhere in the sibling package-lock.json means the lockfile was not regenerated after the manifest changed -- the most common cause is editing package.json by hand (or via a merge) without running an install afterward. Until someone runs an install, npm ci in CI will fail or silently reconcile in ways that differ from what a developer's machine did, and it's a sign the two files have drifted apart.
How to fix it
Run your package manager's install command (npm install) to regenerate the lockfile so it reflects the current package.json, then commit the updated lockfile. If CI uses npm ci, this drift would otherwise cause it to fail outright, so treat this as blocking rather than cosmetic.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo