Will It Vibe logoWill It Vibe?
SCA-023Low severity-4 points

Multiple conflicting JS lockfiles present

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

More than one of package-lock.json/yarn.lock/pnpm-lock.yaml/npm-shrinkwrap.json exists next to the same package.json, so contributors and CI can silently use different package managers and resolve different dependency trees.

Why it matters

When more than one of package-lock.json/yarn.lock/pnpm-lock.yaml/npm-shrinkwrap.json exists next to the same package.json, different contributors (or CI vs. local dev) can end up running different package managers against the same manifest, each resolving its own dependency tree and its own lockfile updates. Over time the lockfiles disagree with each other and nobody notices until a bug shows up that only reproduces with one of them.

How to fix it

Pick one package manager for the project, delete the other lockfile(s), add the unused ones to .gitignore so they don't reappear, and document the choice (in the README or CONTRIBUTING guide) so contributors don't regenerate the wrong one.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks