summaryrefslogtreecommitdiffstats
path: root/tags/n/nodejs-lock-file.tag
diff options
context:
space:
mode:
Diffstat (limited to 'tags/n/nodejs-lock-file.tag')
-rw-r--r--tags/n/nodejs-lock-file.tag16
1 files changed, 16 insertions, 0 deletions
diff --git a/tags/n/nodejs-lock-file.tag b/tags/n/nodejs-lock-file.tag
new file mode 100644
index 0000000..105eda7
--- /dev/null
+++ b/tags/n/nodejs-lock-file.tag
@@ -0,0 +1,16 @@
+Tag: nodejs-lock-file
+Severity: error
+Check: languages/javascript/nodejs
+Explanation: package-lock.json is automatically generated for any operations where
+ npm modifies either the node_modules tree, or package.json. It
+ describes the exact tree that was generated, such that subsequent
+ installs are able to generate identical trees, regardless of
+ intermediate dependency updates.
+ .
+ These information are useless from a debian point of view, because
+ version are managed by dpkg.
+ .
+ Moreover, package-lock.json feature to pin to some version
+ dependencies is a anti feature of the debian way of managing package,
+ and could lead to security problems in the likely case of debian
+ solving security problems by patching instead of upgrading.
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-10 08:20:24 +0000