NPM Install Command Without Pinned Version
- Query id: e36d8880-3f78-4546-b9a1-12f0745ca0d5
- Query name: NPM Install Command Without Pinned Version
- Platform: Dockerfile
- Severity: Medium
- Category: Supply-Chain
- URL: Github
Description¶
Check if packages installed by npm are pinning a specific version.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM node:12
RUN npm install sax
RUN npm install sax --no-cache
RUN npm install sax | grep fail && npm install sax@latest
RUN npm install sax@latest | grep fail && npm install sax
RUN npm install sax | grep fail && npm install sax
RUN npm i -g @angular/cli
RUN ["npm","add","sax"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM node:12
RUN npm install
RUN npm install sax@latest
RUN npm install sax@0.1.1
RUN npm install sax@0.1.1 | grep fail && npm install sax@latest
RUN npm install git://github.com/npm/cli.git
RUN npm install git+ssh://git@github.com:npm/cli#semver:^5.0
RUN npm install --production --no-cache