保護DataHogo
Security Encyclopedia/Supply Chain
mediumCWE-1104A06:2021

Missing Lockfile

Without a lockfile, npm install resolves the latest compatible version of every dependency — which can introduce a newly compromised package on your next deploy.

How It Works

package.json uses semver ranges (^1.2.3). Without package-lock.json, each install might pull a different version. If a package is compromised and a new patch version is released, your next CI run installs the malicious version automatically. Lockfiles pin exact versions so installs are reproducible.

Vulnerable Code
// BAD: no lockfile committed — every install is non-deterministic
// .gitignore
package-lock.json  # never do this
yarn.lock          # never do this
Secure Code
// GOOD: commit your lockfile and use ci instead of install
// .gitignore — do NOT add package-lock.json or yarn.lock

// In CI:
// npm ci  (installs exact versions from lockfile, fails if lockfile is outdated)

Real-World Example

The 2018 event-stream attack succeeded partly because projects without lockfiles automatically pulled the newly published malicious version. Projects using lockfiles were protected until they explicitly updated.

How to Prevent It

  • Commit package-lock.json or yarn.lock to version control — never gitignore it
  • Use npm ci instead of npm install in CI/CD pipelines
  • Enable Dependabot or Renovate to keep the lockfile updated safely with reviewed PRs
  • Verify lockfile integrity with npm audit signatures in Node 18+

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Typosquatting

high

Installing a package with a name one character off from a popular library can install malware instead of the real package.

CWE-829A06:2021

Abandoned Packages

medium

Dependencies that haven't been updated in 2+ years are unlikely to receive security patches when new vulnerabilities are discovered.

CWE-1104A06:2021

Malicious Install Scripts

high

npm postinstall scripts run automatically with your system permissions during npm install, making them a common vector for malware.

CWE-829A06:2021

Dependency Confusion

high

Private internal packages without a scope prefix can be hijacked by publishing a higher-versioned public package with the same name.

CWE-830A06:2021