package.json Validator

How to use

1. 1Paste your package.json into the input on the left, or pick a sample (Minimal valid, Library, Broken, App, Syntax error) to load one.
2. 2Read the status pill at the top right (Valid, Publishable with warnings, or Invalid) and the summary card (name, version, scope, package type, install command).
3. 3Scan the Issues list. Each row shows the message, the JSON path that triggered it, and a hint on how to fix it. Use the Errors, Warnings, and Info tabs to focus.
4. 4Use Reformat (2 spaces) to re-emit the parsed JSON with canonical indentation, or Copy input to grab the current contents.
5. 5Fix the issues in your editor and paste again. Re-run until the status pill turns green.

About this tool

package.json Validator lints a full npm manifest in the browser. Paste the file and the tool runs three layers of checks. First it parses the JSON and pinpoints any syntax error with line, column, and a snippet of the surrounding lines so the typo is obvious. Second it walks every recognized field using the same rules npm uses at publish time and the conventions documented in the official package.json docs, the Node.js modules docs, and the SPDX License List. Required fields (name, version) are enforced. The name is checked against the npm naming rules (length, lowercase, allowed characters, scope shape, Node builtin shadowing, npm blacklist, and Windows reserved names). The version must be a strict semver (MAJOR.MINOR.PATCH with optional prerelease and build metadata). The license string is parsed as a SPDX identifier or expression, with deprecation hints for the old non-SPDX values like "MIT/X11" or bare "BSD". Dependency blocks (dependencies, devDependencies, peerDependencies, optionalDependencies) are checked for valid ranges, and duplicate dependencies across blocks are surfaced. The engines block accepts only string ranges. The exports map is walked recursively and flags the common pitfall of mixing subpath keys (starting with ".") and condition keys ("import", "require", "types") at the same level. The imports map enforces the "#" prefix. The bin field accepts both a string and an object map and reports broken shapes. The type field is restricted to "module" or "commonjs". The packageManager field is checked against the corepack name@semver shape. The repository, homepage, bugs, author, and contributors fields all have shape checks. Third it surfaces best-practice nudges as info-level issues (missing description, missing repository, missing license on a public package, unknown top-level fields). Every issue carries a severity (error blocks publish, warning is fixable, info is a nudge) and the JSON path that triggered it so finding the bad field is one Ctrl+F away. A summary panel shows the parsed name, version, scope, package type, whether the package is private, and a copy-ready install command when the file would publish cleanly. Five samples (minimal valid, full ESM library, broken with many issues, private app, syntax error) make it easy to see what each rule looks like. Useful for fixing an inherited package.json before a release, scaffolding a new workspace package, reviewing a pull request that touches the manifest, debugging a failed npm publish, or porting a manifest from another registry. Everything runs locally in your browser. The package.json contents and internal URLs you paste never leave your device.

Free to use. Works in your browser. No signup, no login.