You open a pull request. It touches package-lock.json. GitHub shows you 4,000 lines of churned resolved URLs and integrity hashes. You scroll, your eyes glaze, you click Approve.
That habit is exactly how the bad stuff gets in. Nearly every npm supply-chain incident this year entered the same way: a new — often transitive — package landed in someone's lockfile, and nobody looked. Because the lockfile diff is unreadable by design.
Before merging, I want the answer to one question: what actually changed in my dependency tree? Not four thousand lines of hashes — just what's new, what's gone, what jumped a major version.
So I built locksift. Zero dependencies, no account, no network.
What it does
