Locklens
Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.
What is Locklens?
Locklens is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to audit npm, yarn, and pnpm lockfiles as both an mcp server and a cli tool.
Audit npm, Yarn, and pnpm lockFiles as both an MCP server and a CLI tool.
This server falls under the Developer Tools category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Audit npm, Yarn, and pnpm lockFiles as both an MCP server an
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx locklensConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Locklens
Locklens is a dual-mode security auditing tool that works both as an MCP server and a standalone CLI, purpose-built for auditing npm, Yarn, and pnpm lock files in JavaScript and TypeScript projects. It parses lockfiles from local directories or remote Git repositories (GitHub and GitLab) and returns standardized vulnerability reports, making it easy for AI assistants to identify insecure dependencies during code review or CI preparation. The single MCP tool it exposes, 'package_audit', accepts flexible parameters for severity thresholds, registry overrides, and output format.
Prerequisites
- Node.js 18 or later with npx available
- An MCP-compatible client such as Claude Desktop or Cursor
- A JavaScript/TypeScript project with a package-lock.json, yarn.lock, or pnpm-lock.yaml
- A GitLab private token (LOCKLENS_GITLAB_PRIVATE_TOKEN) if auditing private GitLab repositories
Test Locklens as a CLI tool
Before adding it as an MCP server, verify Locklens works against your project's lockfile using the CLI. This confirms Node.js and npx are set up correctly.
npx -y locklens --source /path/to/your/project --output-format-language enReview the audit output
The CLI will print a vulnerability report for all packages in your lockfile. Use --threshold high to focus on high and critical severity issues, or --skip-dev to exclude development dependencies.
npx -y locklens --source /path/to/your/project --threshold high --skip-devAdd Locklens to your MCP client configuration
Edit your claude_desktop_config.json to register Locklens as an MCP server. On Windows, use the cmd wrapper shown below.
{
"mcpServers": {
"locklens": {
"command": "npx",
"args": ["--yes", "locklens"]
}
}
}Restart your MCP client
Fully quit and reopen your MCP client so it registers the Locklens server. The package_audit tool will be available in new conversations.
Audit a project through Claude
Ask Claude to audit your project's lockfile. You can specify a local path or a remote GitHub/GitLab repository URL.
Locklens Examples
Client configuration
Add this to claude_desktop_config.json to register Locklens as an MCP server. For Windows, use the cmd wrapper variant.
{
"mcpServers": {
"locklens": {
"command": "npx",
"args": ["--yes", "locklens"]
}
}
}Prompts to try
After registering Locklens as an MCP server, use these prompts in Claude to audit lock files.
- "Audit the lockfile in /Users/me/projects/my-app and show all vulnerabilities"
- "Check https://github.com/myorg/myrepo for dependency vulnerabilities, high severity only"
- "Are there any critical vulnerabilities in my pnpm-lock.yaml? Skip dev dependencies."
- "Audit this GitLab repo for security issues: https://gitlab.com/mygroup/myproject"
- "Show me the lockfile audit results in JSON format for /path/to/project"Troubleshooting Locklens
Private GitLab repository returns authentication error
Set the LOCKLENS_GITLAB_PRIVATE_TOKEN environment variable with your GitLab personal access token. Either export it in your shell before running, or add it to the env block in your MCP config: {"LOCKLENS_GITLAB_PRIVATE_TOKEN": "your-token"}.
No lockfile found — audit returns empty results
Ensure the --source path points to the directory containing your lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml), not to the lockfile itself. Run 'ls /your/project/' to verify the file exists.
On Windows, npx command fails in MCP client
Use the cmd wrapper in your MCP config: set command to 'cmd' and args to ["/c", "npx", "--yes", "locklens"]. This is required on Windows because MCP clients can't launch .cmd scripts directly.
Frequently Asked Questions about Locklens
What is Locklens?
Locklens is a Model Context Protocol (MCP) server that audit npm, yarn, and pnpm lockfiles as both an mcp server and a cli tool. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Locklens?
Follow the installation instructions on the Locklens GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Locklens?
Locklens works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Locklens free to use?
Yes, Locklens is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Locklens Alternatives — Similar Developer Tools Servers
Looking for alternatives to Locklens? Here are other popular developer tools servers you can use with Claude, Cursor, and VS Code.
Ecc
★ 188.2kThe agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
Javaguide
★ 155.8kJava 面试 & 后端通用面试指南,覆盖计算机基础、数据库、分布式、高并发、系统设计与 AI 应用开发
Gemini CLI
★ 104.5kA secure MCP server that wraps the Google Gemini CLI, allowing clients to query Gemini models using local OAuth sessions without requiring an API key. It provides tools for model interaction and diagnostics with built-in protection against command in
Awesome MCP Servers
★ 87.3k⭐ Curated list of Model Context Protocol (MCP) servers - tools that extend Claude Desktop, Cursor, Windsurf, and other MCP clients with custom capabilities.
MCP Servers
★ 86.0kModel Context Protocol Servers
CC Switch
★ 77.5kA cross-platform desktop All-in-One assistant for Claude Code, Codex, OpenCode, OpenClaw, Gemini CLI & Hermes Agent. Only official website: ccswitch.io
Browse More Developer Tools MCP Servers
Explore all developer tools servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Locklens in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Locklens?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.