Snyk Community

Cover image for Do you use lockfiles for your project? did you consider them to be a security issue?
Liran Tal
Liran Tal

Posted on

Do you use lockfiles for your project? did you consider them to be a security issue?

The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.

However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?

I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?

P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?

It looks like this:
npm lockfile

Discussion (2)

Collapse
devrcrun profile image
DevRCRun

Excellent! I'd like to see it in the Snyk PR checks in future if it isn't already.

Collapse
lirantal profile image
Liran Tal Author

Thanks! :)
Probably not going to get there but it's a great little tool you can add in your build pipeline and there's a github action out of the box and a docker image for it too. Easy peasy to integrate :)