Locklens

v1.0.0Developer Toolsstable

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

auditfrontendmcpnpmpnpm
Share:
47
Stars
0
Downloads
0
Weekly
0/5

What is Locklens?

Locklens is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to audit npm, yarn, and pnpm lockfiles as both an mcp server and a cli tool.

Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.

This server falls under the Developer Tools category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Audit npm, Yarn, and pnpm lockFiles as both an MCP server an

Use Cases

Audit npm, Yarn, and pnpm lock files for vulnerabilities
Check dependency security as MCP server or CLI tool
BARMPlus

Maintainer

LicenseMIT
Languagetypescript
Versionv1.0.0
UpdatedMay 19, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx locklens

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Locklens

Locklens is a dual-mode security auditing tool that works both as an MCP server and a standalone CLI, purpose-built for auditing npm, Yarn, and pnpm lock files in JavaScript and TypeScript projects. It parses lockfiles from local directories or remote Git repositories (GitHub and GitLab) and returns standardized vulnerability reports, making it easy for AI assistants to identify insecure dependencies during code review or CI preparation. The single MCP tool it exposes, 'package_audit', accepts flexible parameters for severity thresholds, registry overrides, and output format.

Prerequisites

  • Node.js 18 or later with npx available
  • An MCP-compatible client such as Claude Desktop or Cursor
  • A JavaScript/TypeScript project with a package-lock.json, yarn.lock, or pnpm-lock.yaml
  • A GitLab private token (LOCKLENS_GITLAB_PRIVATE_TOKEN) if auditing private GitLab repositories
1

Test Locklens as a CLI tool

Before adding it as an MCP server, verify Locklens works against your project's lockfile using the CLI. This confirms Node.js and npx are set up correctly.

npx -y locklens --source /path/to/your/project --output-format-language en
2

Review the audit output

The CLI will print a vulnerability report for all packages in your lockfile. Use --threshold high to focus on high and critical severity issues, or --skip-dev to exclude development dependencies.

npx -y locklens --source /path/to/your/project --threshold high --skip-dev
3

Add Locklens to your MCP client configuration

Edit your claude_desktop_config.json to register Locklens as an MCP server. On Windows, use the cmd wrapper shown below.

{
  "mcpServers": {
    "locklens": {
      "command": "npx",
      "args": ["--yes", "locklens"]
    }
  }
}
4

Restart your MCP client

Fully quit and reopen your MCP client so it registers the Locklens server. The package_audit tool will be available in new conversations.

5

Audit a project through Claude

Ask Claude to audit your project's lockfile. You can specify a local path or a remote GitHub/GitLab repository URL.

Locklens Examples

Client configuration

Add this to claude_desktop_config.json to register Locklens as an MCP server. For Windows, use the cmd wrapper variant.

{
  "mcpServers": {
    "locklens": {
      "command": "npx",
      "args": ["--yes", "locklens"]
    }
  }
}

Prompts to try

After registering Locklens as an MCP server, use these prompts in Claude to audit lock files.

- "Audit the lockfile in /Users/me/projects/my-app and show all vulnerabilities"
- "Check https://github.com/myorg/myrepo for dependency vulnerabilities, high severity only"
- "Are there any critical vulnerabilities in my pnpm-lock.yaml? Skip dev dependencies."
- "Audit this GitLab repo for security issues: https://gitlab.com/mygroup/myproject"
- "Show me the lockfile audit results in JSON format for /path/to/project"

Troubleshooting Locklens

Private GitLab repository returns authentication error

Set the LOCKLENS_GITLAB_PRIVATE_TOKEN environment variable with your GitLab personal access token. Either export it in your shell before running, or add it to the env block in your MCP config: {"LOCKLENS_GITLAB_PRIVATE_TOKEN": "your-token"}.

No lockfile found — audit returns empty results

Ensure the --source path points to the directory containing your lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml), not to the lockfile itself. Run 'ls /your/project/' to verify the file exists.

On Windows, npx command fails in MCP client

Use the cmd wrapper in your MCP config: set command to 'cmd' and args to ["/c", "npx", "--yes", "locklens"]. This is required on Windows because MCP clients can't launch .cmd scripts directly.

Frequently Asked Questions about Locklens

What is Locklens?

Locklens is a Model Context Protocol (MCP) server that audit npm, yarn, and pnpm lockfiles as both an mcp server and a cli tool. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Locklens?

Follow the installation instructions on the Locklens GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Locklens?

Locklens works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Locklens free to use?

Yes, Locklens is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Browse More Developer Tools MCP Servers

Explore all developer tools servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "locklens": { "command": "npx", "args": ["-y", "locklens"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Locklens?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides