保護DataHogo
Security Encyclopedia/Project Config Best Practices
mediumCWE-1104A06:2021

Missing Lockfile (Project Config)

A project without a committed lockfile can install different dependency versions on each machine, making builds non-reproducible and supply chain attacks harder to detect.

How It Works

This extends the supply chain lockfile check (ID 141) to the project configuration perspective. Without a lockfile in the repo root, your CI, Docker builds, and new developer machines all resolve dependency versions independently. A compromised package version could be installed on some machines but not others, making the attack harder to detect.

Vulnerable Code
# BAD: package-lock.json listed in .gitignore
# .gitignore
package-lock.json
yarn.lock
pnpm-lock.yaml
# npm install in CI pulls whatever is current — non-deterministic
Secure Code
# GOOD: lockfile committed, CI uses 'npm ci' for reproducible installs
# .gitignore — lockfiles NOT listed

# Dockerfile
COPY package.json package-lock.json ./
RUN npm ci --only=production  # fails if lockfile doesn't match package.json

Real-World Example

Projects that gitignore their lockfile frequently discover dependency drift — different team members running different versions of the same package, leading to 'works on my machine' bugs and inconsistent security posture across environments.

How to Prevent It

  • Remove package-lock.json from .gitignore immediately if it's there
  • Commit the lockfile and use npm ci in all CI/CD and Docker builds
  • Configure npm to always generate a lockfile: add 'package-lock=true' to .npmrc
  • Periodically run npm audit with the lockfile to surface vulnerabilities in pinned versions

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No .env.example File

low

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

CWE-1059

No Security Linting

low

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

CWE-1076A06:2021

No Git Security Hooks

low

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

CWE-1059A02:2021

Inadequate .gitignore

medium

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

CWE-540A02:2021