blob: 105eda7b52528c56daf7fd7070a0fa8ade31d69d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Tag: nodejs-lock-file
Severity: error
Check: languages/javascript/nodejs
Explanation: package-lock.json is automatically generated for any operations where
npm modifies either the node_modules tree, or package.json. It
describes the exact tree that was generated, such that subsequent
installs are able to generate identical trees, regardless of
intermediate dependency updates.
.
These information are useless from a debian point of view, because
version are managed by dpkg.
.
Moreover, package-lock.json feature to pin to some version
dependencies is a anti feature of the debian way of managing package,
and could lead to security problems in the likely case of debian
solving security problems by patching instead of upgrading.
|
