hooksSource-backedReview first Safety ✓ Privacy ✓

Package Lock Risk Detector Hook for Claude Code

PostToolUse hook that flags risky package-lock.json, yarn.lock, and pnpm-lock.yaml edits: missing lockfile updates, unexpected registry hosts, and dependency count spikes before merge.

by kiannidev·added 2026-06-17·

Claude Code

HarnessClaude Code

Trigger:PostToolUse

Install

Source

mkdir -p .claude/hooks && install -m 0755 .claude/hooks/package-lock-risk-detector.sh .claude/hooks/

Readiness

TrustReview first
Sourcesource-backed
Safety notesPresent
ReviewedYes

Documentation Source repository Registry JSON · LLM text

Review first — review before installing

Open the source and read safety notes before installing.

Safety notes

Read-only advisory hook; it does not block writes unless you wrap it with strict exit handling.
Does not substitute for npm audit, OSV scans, or CI dependency review.

Privacy notes

Lockfile paths and registry hostnames are printed locally to stderr for the active session.

Prerequisites

jq available when reviewing npm package-lock.json resolved URLs.
Team policy for allowed npm registries and lockfile update requirements.

Schema details

Install type: cli
Troubleshooting: No

Source repository stats

Scope: Source repo

Runtime and command metadata

Trigger: PostToolUse
Script language: bash

Script body

#!/usr/bin/env bash
set -u
INPUT=$(cat)
FILE=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty')
case "$FILE" in
  *package-lock.json|*yarn.lock|*pnpm-lock.yaml) ;;
  *) exit 0 ;;
esac
echo "package-lock-risk: reviewing $(basename "$FILE")" >&2
if [[ "$FILE" == *package-lock.json ]] && command -v jq >/dev/null 2>&1; then
  HOSTS=$(jq -r '..|.resolved? // empty' "$FILE" 2>/dev/null | sed -n 's#.*//\([^/]*\)/.*#\1#p' | sort -u | head -n 20)
  if [ -n "$HOSTS" ]; then
    echo "Resolved registry hosts:" >&2
    printf '%s\n' "$HOSTS" >&2
  fi
fi
exit 0

Full copyable content

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "./.claude/hooks/package-lock-risk-detector.sh"
          }
        ]
      }
    ]
  }
}

About this resource

Overview

Advisory PostToolUse hook for lockfile edits. It surfaces registry hostnames from npm package-lock.json resolved fields and reminds contributors to review dependency deltas.

Source Verification Notes

Verified on 2026-06-17 against npm lockfile documentation and Claude Code hooks docs.

Duplicate Check

Distinct from package-vulnerability-scanner (multi-ecosystem audit runner) and lockfile-provenance-checker (provenance-focused checks).

Editorial Disclosure

Community hook by kiannidev grounded in npm lockfile docs and Claude Code hook patterns.

#hooks #lockfile #supply-chain

Source citations

Add this badge to your README

Show that Package Lock Risk Detector Hook for Claude Code is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/hooks/package-lock-risk-detector-hook.svg)](https://heyclau.de/entry/hooks/package-lock-risk-detector-hook)

How it compares

Package Lock Risk Detector Hook for Claude Code side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	Package Lock Risk Detector Hook for Claude Code PostToolUse hook that flags risky package-lock.json, yarn.lock, and pnpm-lock.yaml edits: missing lockfile updates, unexpected registry hosts, and dependency count spikes before merge. Open dossier	Dependency Security Audit A Stop hook that runs npm audit, pip-audit, safety, or bundler-audit automatically at the end of every Claude Code session, detecting CVEs and outdated packages across Node.js, Python, and Ruby projects. Open dossier	Lockfile Provenance Checker - Claude Code Hook PostToolUse hook that inspects an edited npm package-lock.json for supply-chain provenance risk rather than known CVEs — dependencies resolved from outside the public npm registry (git, alternate-registry, or insecure transports) and registry tarballs missing an integrity hash. Open dossier	Dependency Security Scanner - Hooks Real-time vulnerability scanning for dependencies with automated CVE detection, severity assessment, and patch recommendations. This PostToolUse hook automatically triggers security scans when dependency manifest files (package.json, requirements.txt, Cargo.toml, go.mod, Gemfile, composer.json) are modified. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety · Privacy ·
Category	hooks	hooks	hooks	hooks
Source	source-backed	source-backed	source-backed	source-backed
Author	kiannidev	JSONbored	techforgeworks	JSONbored
Added	2026-06-17	2025-09-19	2026-06-04	2025-10-19
Platforms	Claude Code	Claude Code	Claude Code	Claude Code
Source repo	—	—	—	—
Safety notes	✓Read-only advisory hook; it does not block writes unless you wrap it with strict exit handling. Does not substitute for npm audit, OSV scans, or CI dependency review.	✓Runs automatically at session end and invokes local package-manager audit tools when dependency lockfiles are present. May contact package registries or vulnerability advisory services through npm, yarn, safety, pip, or bundler-audit. Writes a timestamped security-audit log in the current working directory.	✓Runs after every Write, Edit, and MultiEdit and inspects only npm package-lock.json or npm-shrinkwrap.json content; for yarn.lock and pnpm-lock.yaml it prints a one-line reminder to run lockfile-lint. Read-only and advisory - it parses the lockfile JSON, never installs packages, runs npm, or makes a network call, and always exits 0. Uses the resolved-URL and integrity fields to flag provenance risk (sources outside the public registry, missing integrity); it does not assess known vulnerabilities, so pair it with an audit tool.	— missing
Privacy notes	✓Lockfile paths and registry hostnames are printed locally to stderr for the active session.	✓Reads dependency manifests and lockfiles to identify package managers and audit targets. The generated audit log may include package names, versions, vulnerability identifiers, and remediation output. External audit tools may send package metadata to their configured registries or advisory services.	✓Reads only the local lockfile from disk; it makes no network or registry calls. Prints dependency paths and their resolved URLs to local hook stderr; it writes no logs. Resolved URLs shown in output may include internal registry or git host names if your project depends on them.	— missing
Prerequisites	jq available when reviewing npm package-lock.json resolved URLs. Team policy for allowed npm registries and lockfile update requirements.	— none listed	Claude Code CLI with hooks enabled. bash and jq on PATH; the hook fails open and stays silent when jq is missing.	— none listed
Install	`mkdir -p .claude/hooks && install -m 0755 .claude/hooks/package-lock-risk-detector.sh .claude/hooks/`	`mkdir -p .claude/hooks && touch .claude/hooks/dependency-security-audit-on-stop.sh && chmod +x .claude/hooks/dependency-security-audit-on-stop.sh`	`mkdir -p .claude/hooks && touch .claude/hooks/lockfile-provenance-checker.sh && chmod +x .claude/hooks/lockfile-provenance-checker.sh`	`mkdir -p .claude/hooks && touch .claude/hooks/dependency-security-scanner.sh && chmod +x .claude/hooks/dependency-security-scanner.sh`
Config	`{ "hooks": { "PostToolUse": [ { "matcher": "Write\|Edit\|MultiEdit", "hooks": [ { "type": "command", "command": "./.claude/hooks/package-lock-risk-detector.sh" } ] } ] } }`	`{ "hooks": { "stop": { "script": "./.claude/hooks/dependency-security-audit-on-stop.sh" } } }`	`{ "hooks": { "PostToolUse": [ { "matcher": "Write\|Edit\|MultiEdit", "hooks": [ { "type": "command", "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/lockfile-provenance-checker.sh" } ] } ] } }`	`{ "hooks": { "postToolUse": { "script": "./.claude/hooks/dependency-security-scanner.sh", "matchers": [ "write", "edit" ] } } }`
Citations	Source repositorygithub.com 2026-06-17T03:31:36+00:00 Documentationdocs.npmjs.com Submitted by kiannidev2026-06-17	Source repositorygithub.com 2026-06-17T03:31:36+00:00 Documentationdocs.npmjs.com	Source repositorygithub.com 2026-06-17T03:31:36+00:00 Documentationgithub.com Submitted by techforgeworks2026-06-04	Source repositorygithub.com 2026-06-17T03:31:36+00:00 Documentationdocs.npmjs.com
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed

Signals

Loading live community signals…