diff options
Diffstat (limited to 'tags/n/nodejs-lock-file.tag')
-rw-r--r-- | tags/n/nodejs-lock-file.tag | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tags/n/nodejs-lock-file.tag b/tags/n/nodejs-lock-file.tag new file mode 100644 index 0000000..105eda7 --- /dev/null +++ b/tags/n/nodejs-lock-file.tag @@ -0,0 +1,16 @@ +Tag: nodejs-lock-file +Severity: error +Check: languages/javascript/nodejs +Explanation: package-lock.json is automatically generated for any operations where + npm modifies either the node_modules tree, or package.json. It + describes the exact tree that was generated, such that subsequent + installs are able to generate identical trees, regardless of + intermediate dependency updates. + . + These information are useless from a debian point of view, because + version are managed by dpkg. + . + Moreover, package-lock.json feature to pin to some version + dependencies is a anti feature of the debian way of managing package, + and could lead to security problems in the likely case of debian + solving security problems by patching instead of upgrading. |