Review dependency drift before it reaches main.
Difflock turns package lock changes into a compact risk ledger your pull request can actually discuss.
curl -fsSL difflock.dev/install | shBuilt for review, not reports.
Difflock stays small: one CLI, one GitHub check, one readable artifact. It does not replace scanners. It explains why a lockfile changed and what a maintainer should inspect.
Difflock made dependency bumps reviewable by people who do not live inside the package manager.
Rhea Singh, maintainer of Tableplane
A three-step review artifact.
Select a step to see the exact output Difflock adds to your pull request.
Free core. Boring funding.
The project is open source and local-first. Sponsorship funds package ecosystem adapters, release signing, and maintainer support windows.
Community
Use Difflock in public or private repositories with no hosted account.
- CLI and GitHub Action
- SBOM export
- npm, pnpm, Go, Cargo
Maintainer sponsor
Support the roadmap and get early adapter builds.
- Signed nightly binaries
- Private roadmap notes
- Priority ecosystem requests
Put a readable lockfile ledger in your next PR.
Start with the CLI locally, then add the same command to CI when the team trusts the output.