NPM Install Command Without Pinned Version

• Query id: e36d8880-3f78-4546-b9a1-12f0745ca0d5
• Query name: NPM Install Command Without Pinned Version
• Platform: Dockerfile
• Severity: Medium
• Category: Supply-Chain
• URL: Github

Description

Check if packages installed by npm are pinning a specific version.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM node:12
RUN npm install sax
RUN npm install sax --no-cache
RUN npm install sax | grep fail && npm install sax@latest
RUN npm install sax@latest | grep fail && npm install sax
RUN npm install sax | grep fail && npm install sax
RUN npm i -g @angular/cli
RUN ["npm","add","sax"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM node:12
RUN npm install
RUN npm install sax@latest
RUN npm install sax@0.1.1
RUN npm install sax@0.1.1 | grep fail && npm install sax@latest
RUN npm install git://github.com/npm/cli.git
RUN npm install git+ssh://git@github.com:npm/cli#semver:^5.0
RUN npm install --production --no-cache
RUN npm config set registry <internal_npm_registry> && \
    npm install && \
    npx vite build --mode $VITE_MODE