npm install command without pinned version

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: e36d8880-3f78-4546-b9a1-12f0745ca0d5

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Medium

Category: Supply-Chain

Learn More

Description

Installing packages without pinned versions risks unintentional or malicious dependency upgrades, leading to supply-chain compromises, newly introduced vulnerabilities, or non-reproducible builds.

This rule inspects run command entries that invoke npm install, npm i, or npm add and requires each package argument (excluding command flags) to include an explicit version or tag (for example, package@1.2.3 or @scope/pkg@^1.2.3) or be a git-based reference (for example, git+https://...). Tokens that start with - (npm flags) are allowed. Scoped packages must still include a version suffix and bare package names without an @version will be flagged.

Secure example with pinned versions:

{
  "scripts": {
    "install-deps": "npm install express@4.17.1 lodash@4.17.21 @scope/pkg@1.2.3"
  }
}

Compliant Code Examples

FROM node:12
RUN npm install
RUN npm install sax@latest
RUN npm install sax@0.1.1
RUN npm install sax@0.1.1 | grep fail && npm install sax@latest
RUN npm install git://github.com/npm/cli.git
RUN npm install git+ssh://git@github.com:npm/cli#semver:^5.0
RUN npm install --production --no-cache
RUN npm config set registry <internal_npm_registry> && \
    npm install && \
    npx vite build --mode $VITE_MODE

Non-Compliant Code Examples

FROM node:12
RUN npm install sax
RUN npm install sax --no-cache
RUN npm install sax | grep fail && npm install sax@latest
RUN npm install sax@latest | grep fail && npm install sax
RUN npm install sax | grep fail && npm install sax
RUN npm i -g @angular/cli
RUN ["npm","add","sax"]