Open source lockfile review for maintainers

Review dependency drift before it reaches main.

Difflock turns package lock changes into a compact risk ledger your pull request can actually discuss.

$curl -fsSL difflock.dev/install | sh
Apache-2.0 license4.8k starsnpm, Go, Rust lockfiles
ledgerfox/api-gatewaypull request #418 - lockfile drift

Built for review, not reports.

Difflock stays small: one CLI, one GitHub check, one readable artifact. It does not replace scanners. It explains why a lockfile changed and what a maintainer should inspect.

31smedian scan on public CI
0hosted services required
12klockfile changes reviewed

Difflock made dependency bumps reviewable by people who do not live inside the package manager.

Rhea Singh, maintainer of Tableplane

A three-step review artifact.

Select a step to see the exact output Difflock adds to your pull request.

Free core. Boring funding.

The project is open source and local-first. Sponsorship funds package ecosystem adapters, release signing, and maintainer support windows.

Community

$0

Use Difflock in public or private repositories with no hosted account.

  • CLI and GitHub Action
  • SBOM export
  • npm, pnpm, Go, Cargo

Maintainer sponsor

$12/mo

Support the roadmap and get early adapter builds.

  • Signed nightly binaries
  • Private roadmap notes
  • Priority ecosystem requests

Put a readable lockfile ledger in your next PR.

Start with the CLI locally, then add the same command to CI when the team trusts the output.

Try the scan