generic.ci.security.use-frozen-lockfile.use-frozen-lockfile

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

When performing yarn install, make sure to use the lockfile. Without --frozen-lockfile, yarn will update the lockfile rather than using the pinned versions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-frozen-lockfile
    patterns:
      - pattern: yarn install
      - pattern-not-inside: yarn install --frozen-lockfile
    message: When performing yarn install, make sure to use the lockfile. Without
      `--frozen-lockfile`, yarn will update the lockfile rather than using the
      pinned versions.
    languages:
      - generic
    severity: ERROR
    metadata:
      category: security
      technology:
        - yarn
      cwe: "CWE-494: Download of Code Without Integrity Check"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

use-frozen-lockfile.generic

# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile
RUN yarn install

RUN yarn install --frozen-lockfile
COPY . /app
RUN yarn build