The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.
However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?
I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?
P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?
Discussion (2)
Excellent! I'd like to see it in the Snyk PR checks in future if it isn't already.
Thanks! :)
Probably not going to get there but it's a great little tool you can add in your build pipeline and there's a github action out of the box and a docker image for it too. Easy peasy to integrate :)