Npm lockfiles can be a security blindspot for injecting malicious modules

[jeffin143]

User story

I am not sure, I am the correct person to discuss about the npm build issue, but I cam across an article - https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

which states linting package-lock.json files is a good practice to avoid security issues.

Best solution for this problem

Should we lint package-lock.json file ?

Also does npm audit help us ?

MVP

Check - https://github.com/lirantal/lockfile-lint

[znarf]

@jeffin143 happy to add that to our 'lint' jobs on CI, doable?

[jeffin143]

@znarf Umm I will try it in on one of my own repo, if everything works smooth, I will add the config files here :)

[Betree]

Thanks for reporting this, it's really interesting.

I don't think that lockfile-lint solves the problem in a nice way because it's very easy to host malicious code on NPM or Github. But maybe that can be a good first step.

[jeffin143]

@znarf @Betree Revisiting this :
Found some alternative which some of our collective have

NPM audit -

https://dev.azure.com/webpack/webpack-dev-server/_build/results?buildId=7132
webpack/webpack-dev-server#2303

Synk
https://snyk.io/docs/using-snyk/
webpack/webpack-cli#1122

Both of these have been used across many repos, so may be that could be helpful

[Betree]

@jeffin143 I don't see how these two PRs are related to this issue