lockfiles

r2c

Author

unknown

Download Count*

LGPL Commons Clause

License

Security checks for lockfiles.

Run Locally

Rules (2)

generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm

returntocorp

generic

To ensure reproducible and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it.

generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn

returntocorp

dockerfile

To ensure reproducible and deterministic builds, when performing yarn install, make sure to use the lockfile. Yarn will update the lockfile rather than using the pinned versions. By using `--immutable` yarn will throw an exit code if the lockfile was to be modified.