Which lockfiles are supported?

It supports package-lock.json, pnpm-lock.yaml, and classic yarn.lock text well enough for inventory and risk signals.

No. It does not call a vulnerability database. It focuses on lockfile structure, duplicate versions, source types, and integrity signals.

Why flag duplicate versions?

Multiple locked versions can increase bundle size, widen patch work, and hide old vulnerable transitive dependencies.

Is my lockfile uploaded?

No. The file is parsed locally in your browser.

Clean up duplicate package versions

Export duplicate version rows before dependency dedupe or package manager migration work.

Review lockfiles before release freeze

Flag git dependencies, HTTP tarballs, prereleases, and missing integrity before shipping.

Package Lock Dependency Auditor - local lockfile risk inventory

Inspect package-lock.json, pnpm-lock.yaml, or yarn.lock for duplicate versions, risky sources, prereleases, and missing integrity.

Runs locally
Category Developer & DevOps
Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

Load file

Runs locally in your browser. Files are not uploaded. Text limit: 8 MB.

Output format

InputOutput

# Package Lock Dependency Audit Report

- Dependency entries: 3
- Unique packages: 3
- Packages with duplicate versions: 0
- Git/GitHub dependencies: 1
- HTTP dependencies: 0
- File/link/workspace dependencies: 0
- Prerelease versions: 1
- Missing integrity: 1

## Duplicate Version Packages
No duplicate package versions found.

## Dependency Inventory
| name | version | source |
| --- | --- | --- |
| @toolora/ui | 1.0.0 | https://registry.npmjs.org/@toolora/ui/-/ui-1.0.0.tgz |
| lodash | 4.17.21 | https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz |
| debug | 5.0.0-beta.1 | git+https://github.com/debug-js/debug.git |

Deps

Unique

Dupes

Warnings

1 dependencies resolve from git or GitHub.
1 dependencies are missing integrity metadata.

What this tool does

Package Lock Dependency Auditor reads common JavaScript lockfiles locally and produces a dependency risk inventory. Paste package-lock.json, pnpm-lock.yaml, or yarn.lock to count dependency entries, unique package names, duplicate locked versions, git or GitHub sources, plain HTTP tarballs, file or link dependencies, prerelease versions, and packages missing integrity metadata. It is useful before dependency cleanup, supply-chain review, release freeze, monorepo migration, vendor handoff, and debugging bundle bloat caused by multiple versions of the same package. The tool does not install packages, call registries, or upload the lockfile. Reports can be exported as Markdown, JSON, or CSV.

Tool details

Input: Files + Text + Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy + Download; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 118 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Developer & DevOps · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How Package Lock Dependency Auditor fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

Formatting, validating, shrinking, or inspecting code-adjacent text.
Preparing snippets for documentation, tickets, commits, or handoff.
Checking a small payload quickly without switching tools.

Developer checks

Run irreversible transforms like minify or obfuscate on a copy.
Keep secrets out of pasted snippets unless the tool explicitly stays local.
Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Clean up duplicate package versions
Export duplicate version rows before dependency dedupe or package manager migration work.
Review lockfiles before release freeze
Flag git dependencies, HTTP tarballs, prereleases, and missing integrity before shipping.

Common pitfalls

Running npm audit but never checking whether the lockfile has duplicate versions or non-registry sources.
Committing lockfiles with temporary file or link dependencies after local debugging.

Privacy

Lockfiles can reveal private package names and repository URLs. Analysis stays local.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Browse all tools for this role

Package Lock Dependency Auditor - local lockfile risk inventory

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How Package Lock Dependency Auditor fits into your work

Developer jobs

Developer checks

Good next steps

Real-world use cases

Clean up duplicate package versions

Review lockfiles before release freeze

Common pitfalls

Privacy

FAQ

ENV Secret Scanner

JSON Schema Inferencer

OpenAPI Endpoint Auditor

File Hash Calculator

Duplicate File Finder

JS Obfuscator

npm / yarn / pnpm Cheatsheet

AI Eval Planner

Apache Cheatsheet

API Key Generator

API Rate Limit Cheatsheet

ASCII Table Generator