Using your own, private NPM registry, but stumble upon references to the public registry in your package-lock.json on a daily basis? Set the following up as a pre-push hook.

{
  // ...

  "scripts": {
    // ...
    "check-registry": "! grep \"registry.npmjs.org\" package-lock.json"
  },

  // ...
}