missing-or-ignored-dependency-lockfile

Solid

Detects projects where lockfiles are missing or ignored in version control, allowing non-deterministic builds with potentially different dependency versions.

Data & Documents 32 stars 10 forks Updated 2 months ago NOASSERTION

Install

View on GitHub

Quality Score: 72/100

Stars 20%

Recency 20%

Frontmatter 20%

Documentation 15%

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Missing or Ignored Dependency Lockfile ## Overview Lockfiles (`package-lock.json`, `yarn.lock`, `Pipfile.lock`, `go.sum`, `Gemfile.lock`) pin exact dependency versions. Without them, `npm install` may install newer versions that introduce vulnerabilities or malicious code. Gitignoring lockfiles in application projects is a security anti-pattern. ## Remediation - Commit lockfiles to version control for all application projects - Use `npm ci` instead of `npm install` in CI/CD - Verify lockfile integrity in CI with `--frozen-lockfile`

Details

Author: zakirkun
Repository: zakirkun/ice-tea
Created: 2 months ago
Last Updated: 2 months ago
Language: Go
License: NOASSERTION

Integrates with

npm · DevTools

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

update-dependencies

Upgrade project dependencies with breaking change research for major version updates. Use when the user asks to "update dependencies", "upgrade packages", "upgrade dependencies", "update deps", "upgrade deps", "update npm deps", "update Swift packages", "cargo update", "go get updates", "bundle update", or "pip upgrade".

310 Updated today

tobihagemann

Web & Frontend Solid

spm-build-analysis

Analyze Swift Package Manager dependencies, package plugins, module variants, and CI-oriented build overhead that slow Xcode builds. Use when a developer suspects packages, plugins, or dependency graph shape are hurting clean or incremental build performance, mentions SPM slowness, package resolution time, build plugin overhead, duplicate module builds from configuration drift, circular dependencies between modules, oversized modules needing splitting, or modularization best practices.

743 Updated 1 months ago

AvdLee

Data & Documents Solid

link-deps

Discover and link related issues as dependencies. Searches for issues that should be connected and recommends dependency relationships to establish proper work order.

131 Updated 4 days ago

joa23

Code & Development Solid

rust-dev

This skill should be used when working with Rust code, reviewing Rust code, managing Rust dependencies, creating Rust projects, or fixing Rust compilation errors. It provides strict coding standards (especially FAIL FAST error handling), workspace architecture guidance, dependency management automation, and common Rust patterns.

24 Updated 3 weeks ago

onsails

AI & Automation Solid

scope-guard

Detects scope creep by quantifying drift percentage. Auto-triggered by L1 orchestrators when files exceed the original plan. Compares git changes against plan, classifies drift into 4 tiers: ON_TRACK, MINOR_DRIFT, SIGNIFICANT_DRIFT, OUT_OF_CONTROL.

75 Updated 1 weeks ago

Rune-kit