Do you use lockfiles for your project? did you consider them to be a security issue?

#javascript #security #npm #discuss

Liran Tal Oct 28 ・1 min read

The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.

However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?

I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?

P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?

It looks like this:

Discussion

DevRCRun • Oct 28

Excellent! I'd like to see it in the Snyk PR checks in future if it isn't already.

Liran Tal • Oct 28

Thanks! :)
Probably not going to get there but it's a great little tool you can add in your build pipeline and there's a github action out of the box and a docker image for it too. Easy peasy to integrate :)

Vuln Cost Plugin for Visual Studio Code

🧑🏼‍💻 Brian Vermeer - Oct 20

Hi all. Anyone else from a "traditional" pen testing background getting in to DevSecOps?

Joe Durbin - Oct 18

[Announcement] Snyk Plugin now covers all JetBrains IDEs

SnykCommunity - Nov 4

[SnykLIVE] Dastardly Disasters - Episode 1

SnykCommunity - Nov 4

Read next

Vuln Cost Plugin for Visual Studio Code

Hi all. Anyone else from a "traditional" pen testing background getting in to DevSecOps?

[Announcement] Snyk Plugin now covers all JetBrains IDEs

[SnykLIVE] Dastardly Disasters - Episode 1

Log in to continue