Snyk Community

Snyk Community is a community of amazing users

The place for Snyk users & security enthusiasts to share their experience and learn from each other.

Create new account Log in
loading...
Cover image for Do you use lockfiles for your project? did you consider them to be a security issue?

Do you use lockfiles for your project? did you consider them to be a security issue?

#javascript #security #npm #discuss
lirantal profile image Liran Tal ・1 min read

The whole debate around whether you should use a lockfile or not for a project is something that's been going on for a while.

However, considering that you are using lockfiles. Did you consider the security concerns related with lockfiles?

I wrote about how it is possible for someone to inject malicious packages in your lockfile as a contribution to the project, without you noticing it, and wonder what do you think about this vector?

P.S. also wrote a tool called lockfile-lint to help combat this. do you find this helpful?

It looks like this:
npm lockfile

Discussion (2)

pic
Editor guide
Collapse
devrcrun profile image
DevRCRun

Excellent! I'd like to see it in the Snyk PR checks in future if it isn't already.

Collapse
lirantal profile image
Liran Tal Author

Thanks! :)
Probably not going to get there but it's a great little tool you can add in your build pipeline and there's a github action out of the box and a docker image for it too. Easy peasy to integrate :)

Read next

sjmaple profile image

[Announcement] Find & fix vulnerabilities in container and serverless

Simon Maple -

sjmaple profile image

[Announcement] Secure Amazon Elastic Kubernetes Service (Amazon EKS) workloads with Snyk

Simon Maple -

proudboffin profile image

[Annoucement] Custom Webhooks

Daniel Berman -

sjmaple profile image

[Announcements] New QuickStarts available for Serverless CI/CD AWS deployments.

Simon Maple -