--- title: Unpinned package version description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Unpinned package version --- # Unpinned package version {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8` **Cloud Provider:** Common **Platform:** Ansible **Severity:** Low **Category:** Supply-Chain #### Learn More{% #learn-more %} - [Provider Reference](https://ansible.readthedocs.io/projects/lint/rules/package-latest/) ### Description{% #description %} Package installer tasks that set `state: latest` without pinning a `version` or enabling `update_only` can cause unintended upgrades. This may introduce breaking changes, regressions, or service disruptions and make deployments non-reproducible. Ansible package installer modules (for example `apt`, `yum`, `dnf`, `pip`) are checked for the following task properties: `state` must not be `latest` unless a `version` is specified or `update_only` is set to `true`. Tasks with `state: latest` and no `version` and missing or `false` `update_only` are flagged. Remediate by pinning packages to explicit versions for deterministic installs, or set `update_only: true` when you only want to upgrade already-installed packages. Secure example — pin a version: ````yaml - name: Install mypkg at a specific version apt: name: mypkg=1.2.3 state: present ```Secure example — allow only updates to already-installed packages: ```yaml - name: Update installed packages only yum: name: mypkg state: latest update_only: true ```` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml --- - name: Example playbook hosts: localhost tasks: - name: Install Ansible ansible.builtin.yum: name: ansible-2.12.7.0 state: present - name: Install Ansible-lint ansible.builtin.pip: name: ansible-lint state: present version: 5.4.0 - name: Update Ansible with update_only to true ansible.builtin.yum: name: sudo state: latest update_only: true - name: Install nmap community.general.zypper: name: nmap state: present - name: Install package without using cache community.general.apk: name: foo state: present no_cache: true - name: Install apache httpd ansible.builtin.apt: name: apache2 state: present - name: Update Gemfile in another directory community.general.bundler: state: present chdir: ~/rails_project - name: Install a modularity appstream with defined profile ansible.builtin.dnf: name: "@postgresql/client" state: present - name: Install rake community.general.gem: name: rake state: present - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: present - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs version: present state: present url: http://host_jenkins:8080 username: user_jenkins password: userpass_jenkins register: result - name: Install packages based on package.json community.general.npm: path: /app/location state: present - name: Install nmap community.general.openbsd_pkg: name: nmap state: present - name: Install ntpdate ansible.builtin.package: name: ntpdate state: present - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - name: Install finger daemon community.general.pkg5: name: service/network/finger state: present - name: Install several packages community.general.pkgutil: name: - CSWsudo - CSWtop state: present - name: Install package foo community.general.portage: package: foo state: present - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: present - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: present - name: Install package unzip community.general.swdepot: name: unzip state: present depot: "repository:/path" - name: Install multiple packages win_chocolatey: name: - procexp - putty - windirstat state: present - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: - nginx - postgresql - postgresql-server state: present - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm state: present ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml --- - name: Example playbook hosts: localhost tasks: - name: Install Ansible ansible.builtin.yum: name: ansible state: latest - name: Install Ansible-lint ansible.builtin.pip: name: ansible-lint state: latest - name: Install some-package ansible.builtin.package: name: some-package state: latest - name: Install Ansible with update_only to false ansible.builtin.yum: name: sudo state: latest update_only: false - name: Install nmap community.general.zypper: name: nmap state: latest - name: Install package without using cache community.general.apk: name: foo state: latest no_cache: true - name: Install apache httpd ansible.builtin.apt: name: apache2 state: latest - name: Update Gemfile in another directory community.general.bundler: state: latest chdir: ~/rails_project - name: Install a modularity appstream with defined profile ansible.builtin.dnf: name: "@postgresql/client" state: latest - name: Install rake community.general.gem: name: rake state: latest - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: latest - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs state: latest url: http://host_jenkins:8080 username: user_jenkins password: userpass_jenkins register: result - name: Install packages based on package.json community.general.npm: path: /app/location state: latest - name: Install nmap community.general.openbsd_pkg: name: nmap state: latest - name: Install ntpdate ansible.builtin.package: name: ntpdate state: latest - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: latest - name: Install finger daemon community.general.pkg5: name: service/network/finger state: latest - name: Install several packages community.general.pkgutil: name: - CSWsudo - CSWtop state: latest - name: Install package foo community.general.portage: package: foo state: latest - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: latest - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: latest - name: Install package unzip community.general.swdepot: name: unzip state: latest depot: "repository:/path" - name: Install multiple packages win_chocolatey: name: - procexp - putty - windirstat state: latest - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true state: latest - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: - nginx - postgresql - postgresql-server state: latest - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm state: latest ```