Is Locklens safe to use?

Locklens has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Locklens?

Locklens can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Locklens?

Locklens is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

Is Locklens actively maintained?

Locklens is actively maintained — last commit was 1 day ago. It has 18 GitHub stars.

Locklens

Name: Locklens
Author: BARMPlus

by BARMPlus

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

18 0 tools GitHub

No known CVEs

MIT license

Actively maintained

Last commit 1d ago

Untested

Transport: stdio

0 tools

Grade F

Developer Tools Legal

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Untested on Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "locklens": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/locklens)](https://mcppedia.org/s/locklens)

Read me

What Locklens does

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

29/100across 5 weighted dimensions

How we score →

0255075100

−71

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Locklens safe to use?: Locklens has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Locklens?: Locklens can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Locklens?: Locklens is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.
Is Locklens actively maintained?: Locklens is actively maintained — last commit was 1 day ago. It has 18 GitHub stars.

Similar servers

Others in developer-tools / legal

View all →

Supabase MCP Server97

Manage Supabase projects — databases, auth, storage, and edge functions

2.6k 4

XcodeBuildMCP97

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

5.3k 1

XcodeBuildMCP96

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

5.3k 2

Gemini Cli95

An open-source AI agent that brings the power of Gemini directly into your terminal.

102.1k 8

MCP Security Weekly

Get CVE alerts and security updates for Locklens and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Developer Tools Legal

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Untested on Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "locklens": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/locklens)](https://mcppedia.org/s/locklens)

Read me

What Locklens does

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

locklens

locklens 是一个基于 audit-ci 的 lockfile 审计工具，支持三种运行模式：

CLI / npx
MCP Server（stdio）
Skill

它可以审计本地项目目录或远程 Git 仓库，并支持 npm、yarn、pnpm 的 lockfile。

特性

支持本地项目目录与远程 Git 仓库审计
支持公开仓库与私有仓库审计
支持 package-lock.json、yarn.lock、pnpm-lock.yaml
仅基于仓库中已存在的 lockFile 进行审计，保证结果与真实依赖状态一致
支持中文、英文文本报告
支持显式切换为 JSON 输出

环境要求

Node >=18
(Optional) Yarn ^1.12.3 || Yarn >=2.4.0 && <4.0.0
(Optional) PNPM >=4.3.0
(Optional) Bun

安装与环境

本地仓库、线上仓库审计：

# 本地相对目录审计
npx -y locklens --source ./
# 本地绝对目录审计
npx -y locklens --source /path/to/project 
# Github 远程仓库审计
npx -y locklens --source https://github.com/BARMPlus/micro-app > audit.md
# Gitlab 远程仓库审计
npx -y locklens --output-format json --source https://gitlab.com/gitlab-org/gitlab-vscode-extension.git > audit.json

私有仓库审计：

# 对于 GitHub、GitLab、Gitee 的 HTTPS 地址，locklens 会先尝试通过 ssh -T 判断本机 SSH Key 是否可用于该 Git 服务器；
# 如果可用，会自动切换为 SSH 方式执行。其他私有 Git 服务器仍建议直接依赖本机已有权限的 SSH Key。
npx -y locklens --source https://git.company.local/group/repo.git
# 适合 CI 场景，仅支持 私有部署的 GitLab 服务器应用审计，设置 Personal access tokens 权限访问该仓库
LOCKLENS_GITLAB_PRIVATE_TOKEN=your-token npx -y locklens --source https://git.company.local/group/repo.git

CLI 使用方法

常见示例

输出英文文本报告：

npx -y locklens --source /path/to/project --output-format-language en

输出 JSON：

npx -y locklens --source /path/to/project --output-format json

指定阈值为高危：

npx -y locklens --source /path/to/project --threshold high

跳过 devDependencies：

npx -y locklens --source /path/to/project --skip-dev

CLI 参数

参数	说明
`--source <value>`	必填。本地目录路径或远程 Git 仓库地址
`--threshold <value>`	漏洞过滤阈值，可选：`low`、`moderate`、`high`、`critical`，默认：`low`
`--registry <url>`	自定义 npm registry，默认：`https://registry.npmjs.org/`
`--skip-dev`	跳过 dev dependencies
`--retry-count <number>`	审计执行重试次数
`--output-format <value>`	输出格式，可选：`json`、`text`，默认：`text`
`--output-format-language <value>`	文本报告语言，可选：`zh`、`en`，默认：`zh`
`--help` / `-h`	显示帮助
`--version` / `-v`	显示版本号

MCP 使用方法

locklens 支持通过 stdio 方式作为 MCP Server 接入，通过将以下配置添加到mcp服务器配置中。

Windows 平台：

{
  "mcpServers": {
    "locklens": {
      "command": "cmd",
      "args": ["/c", "npx", "--yes", "locklens"]
    }
  }
}

其他平台：

{
  "mcpServers": {
    "locklens": {
      "command": "npx",
      "args": ["--yes", "locklens"]
    }
  }
}

Tools

`package_audit`

审计指定项目目录或远程 Git 仓库的 lockfile，并返回统一格式的漏洞结果。

参数：

source
- 必填。本地目录绝对路径，或远程 Git 仓库地址
threshold
- 漏洞过滤阈值，可选：low、moderate、high、critical；默认：low
registry
- 自定义 npm registry 地址；默认：https://registry.npmjs.org/
skipDev
- 是否跳过 dev dependencies
retryCount
- 审计执行重试次数
outputFormat
- 输出格式，可选：text、json；默认：text
outputFormatLanguage
- 文本报告语言，可选：zh、en；默认：zh

Skill

如果你的客户端支持 Skill，也可以直接使用 dependency-audit，不需要先接入 MCP。

当前仓库内的 Skill 目录位于：

dependency-audit/

默认会带上 --skip-dev，优先只带出线上风险；如果你希望带出开发和线上所有依赖风险，可以明确说明取消 --skip-dev。

示例：

1. 使用 dependency-audit 审计当前项目的依赖问题
2. https://github.com/BARMPlus/micro-app 审计这个项目的依赖，告知我开发和线上所有的依赖问题
3. 输出 https://github.com/BARMPlus/micro-app 这个项目严重的依赖问题

License

locklens is released under the MIT License

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

29/100across 5 weighted dimensions

How we score →

0255075100

−71

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Locklens safe to use?: Locklens has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Locklens?: Locklens can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Locklens?: Locklens is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.
Is Locklens actively maintained?: Locklens is actively maintained — last commit was 1 day ago. It has 18 GitHub stars.