3

I've read the following about package-lock.json file:

This file is intended to be committed into source repositories, and serves various purposes:

  • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
  • Provide a facility for users to “time-travel” to previous states of node_modules without having to commit the directory itself.
  • To facilitate greater visibility of tree changes through readable source control diffs.
  • And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

See NPMJS docs package-lock.json description .

But in another fragment by the same link I see:

integrity§

This is a Standard Subresource Integrity for this resource.

  • For bundled dependencies this is not included, regardless of source.
  • For registry sources, this is the integrity that the registry provided, or if one wasn’t provided the SHA1 in shasum.
  • For git sources this is the specific commit hash we cloned from.
  • For remote tarball sources this is an integrity based on a SHA512 of the file.
  • For local tarball sources: This is an integrity field based on the SHA512 of the file.

See NPMJS docs package-lock.json dependencies integrity .

Following by the link to Standard Subresource Integrity (SRI) I've found the following:

1.1. Goals

  • Compromise of a third-party service should not automatically mean compromise of every site which includes its scripts. Content authors will have a mechanism by which they can specify expectations for content they load, meaning for example that they could load a specific script, and not any script that happens to have a particular URL.

See W3C Subresource Integrity

So I'm wondering why in the description of package-lock.json in NPMJS docs security purpose is not mentioned/listed. Personally I like the idea of using package-lock.json for improving security of my application as well (by carefully reviewing the actual dependencies locked and changing the lock file checked in to my VCS repo simultaneously with some changes done to my package.json preventing any tampered dependencies from getting into my app).
But perhaps I'm missing something and by some reasons the lock file can't be used for the security purpose I explained above.

Alexander Ites
  • 155
  • 2
  • 9

0 Answers0