generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm

profile photo of semgrepsemgrep
Author
unknown
Download Count*

To ensure reproducible and deterministic builds, use npm ci rather than npm install in scripts. This will use the lockfile rather than updating it.

Run Locally

Run in CI

Defintion

rules:
  - id: use-frozen-lockfile-npm
    patterns:
      - pattern-regex: npm install\b
      - pattern-not-regex: pnpm install
      - pattern-not-regex: npm install -g
      - pattern-not-regex: npm install --global
      - pattern-not-regex: npm install [\w]+
      - pattern-not-regex: \#(.*)
    fix: npm ci
    message: To ensure reproducible and deterministic builds, use `npm ci` rather
      than `npm install` in scripts. This will use the lockfile rather than
      updating it.
    languages:
      - generic
    severity: INFO
    metadata:
      category: security
      cwe:
        - "CWE-494: Download of Code Without Integrity Check"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - dockerfile
        - javascript
        - typescript
        - npm
      references:
        - https://docs.npmjs.com/cli/v6/commands/npm-ci
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

use-frozen-lockfile.generic

# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# trailing space
# ruleid: use-frozen-lockfile-yarn
RUN yarn install

# ok: use-frozen-lockfile-yarn
RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress
# ok: use-frozen-lockfile-yarn
RUN yarn install --production --frozen-lockfile

# ok: use-frozen-lockfile-npm
# i am a comment, just to explain.. npm install

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
# ruleid: use-frozen-lockfile-yarn
RUN yarn install some_package
RUN yarn install -g some_package
RUN yarn install --global some_package

RUN echo 'yarn installing foo'

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
COPY . /app
RUN yarn build

WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install foo

RUN npm install foo
# ruleid: use-frozen-lockfile-npm
RUN npm install
RUN npm install -g some_package
RUN npm install --global some_package
RUN npm ci
COPY . /app
RUN yarn build

RUN echo 'npm installing foo'

# ok: use-frozen-lockfile-npm
RUN pnpm install