generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

To ensure reproducible and deterministic builds, use npm ci rather than npm install in scripts. This will use the lockfile rather than updating it.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-frozen-lockfile-npm
    patterns:
      - pattern-regex: npm install\b
      - pattern-not-regex: pnpm install
      - pattern-not-regex: npm install -g
      - pattern-not-regex: npm install --global
      - pattern-not-regex: npm install [\w]+
    fix: npm ci
    message: To ensure reproducible and deterministic builds, use `npm ci` rather
      than `npm install` in scripts. This will use the lockfile rather than
      updating it.
    languages:
      - generic
    severity: INFO
    metadata:
      category: security
      cwe:
        - "CWE-494: Download of Code Without Integrity Check"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - dockerfile
        - javascript
        - typescript
        - npm
      references:
        - https://docs.npmjs.com/cli/v6/commands/npm-ci
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

use-frozen-lockfile.generic

# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# trailing space
# ruleid: use-frozen-lockfile-yarn
RUN yarn install

# ok: use-frozen-lockfile-yarn
RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress
# ok: use-frozen-lockfile-yarn
RUN yarn install --production --frozen-lockfile

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
# ruleid: use-frozen-lockfile-yarn
RUN yarn install some_package
RUN yarn install -g some_package
RUN yarn install --global some_package

RUN echo 'yarn installing foo'

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
COPY . /app
RUN yarn build

WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install foo

RUN npm install foo
# ruleid: use-frozen-lockfile-npm
RUN npm install
RUN npm install -g some_package
RUN npm install --global some_package
RUN npm ci
COPY . /app
RUN yarn build

RUN echo 'npm installing foo'

# ok: use-frozen-lockfile-npm
RUN pnpm install