diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 13:42:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-14 13:42:30 +0000 |
commit | 75808db17caf8b960b351e3408e74142f4c85aac (patch) | |
tree | 7989e9c09a4240248bf4658a22208a0a52d991c4 /tags/n/nodejs-lock-file.tag | |
parent | Initial commit. (diff) | |
download | lintian-75808db17caf8b960b351e3408e74142f4c85aac.tar.xz lintian-75808db17caf8b960b351e3408e74142f4c85aac.zip |
Adding upstream version 2.117.0.upstream/2.117.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tags/n/nodejs-lock-file.tag')
-rw-r--r-- | tags/n/nodejs-lock-file.tag | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tags/n/nodejs-lock-file.tag b/tags/n/nodejs-lock-file.tag new file mode 100644 index 0000000..105eda7 --- /dev/null +++ b/tags/n/nodejs-lock-file.tag @@ -0,0 +1,16 @@ +Tag: nodejs-lock-file +Severity: error +Check: languages/javascript/nodejs +Explanation: package-lock.json is automatically generated for any operations where + npm modifies either the node_modules tree, or package.json. It + describes the exact tree that was generated, such that subsequent + installs are able to generate identical trees, regardless of + intermediate dependency updates. + . + These information are useless from a debian point of view, because + version are managed by dpkg. + . + Moreover, package-lock.json feature to pin to some version + dependencies is a anti feature of the debian way of managing package, + and could lead to security problems in the likely case of debian + solving security problems by patching instead of upgrading. |