loading...
Cover image for Do you use lockfiles for your project? did you consider them to be a security issue?

Do you use lockfiles for your project? did you consider them to be a security issue?

lirantal profile image Liran Tal ・1 min read

The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.

However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?

I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?

P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?

It looks like this:
npm lockfile

Discussion

pic
Editor guide
Collapse
devrcrun profile image
DevRCRun

Excellent! I'd like to see it in the Snyk PR checks in future if it isn't already.

Collapse
lirantal profile image
Liran Tal Author

Thanks! :)
Probably not going to get there but it's a great little tool you can add in your build pipeline and there's a github action out of the box and a docker image for it too. Easy peasy to integrate :)