shrinkwrap

Flags packages that ship a shrinkwrap/lockfile that can constrain or override dependency resolution.

Implemented in: src/lib/detection/plugins/shrinkwrap.ts
Enabled by default: no (available plugin; enable in the detection service/plugin set)

What it means

The package includes an npm-shrinkwrap.json (or similar) file.

Why it matters

Shipping lockfiles inside published packages is uncommon and can be used to:

• pull in unexpected transitive dependencies
• reduce transparency of dependency changes

What to do

• Inspect the shrinkwrap for unexpected dependency sources.
• Prefer packages that do not ship lockfiles unless there is a strong reason.

Common fields

• filePath: typically npm-shrinkwrap.json