Login/Register
To what end are we maintaining package-lock.json files that are free of security vulnerabilities? Why not just delete them or let them go stale?
Asked Answered
node.jsnpmdependabot
P

0

6

package-lock.json stores a set of exact versions for all the dependencies and transitive dependencies that got installed when someone last ran npm update. You are encouraged to commit package-lock.json back to your repo.

The only real consumer of package-lock.json that I can find is npm ci, which reproduces the state defined in package-lock.json exactly so that you can be sure you're running CI on the same dependencies you had on the dev machine that last wrote package-lock.json.

The other thing package-lock.json seems to be used for is producing reams and reams of security warnings. I've got Github's Dependabot PR-ing changes to my committed package-lock.json files, and complaining that my package-lock.json is where it "found" other vulnerabilities that it can't automatically fix for me. I suspect these unfixable issues are problems in either my or a dependency's package.json, caused by a maximum version requirement that excludes the fixed version of the offending module, but that's not what Dependabot says:

Dependabot saying I have a problem with package-lock.json that it can't fix

If package-lock.json is only used by npm ci, how can a reference to an outdated and vulnerable version of a package there create a vulnerability anywhere except in my CI system? Won't anyone who actually installs the package use package.json to resolve dependencies and hence get fixes for all the vulnerabilities automatically as they are made available (unless I myself have an offending maximum version limit)? Are these PRs to my repo really just suggestions that me and all my users/collaborators run npm update on our machines? If so, what possessed the Dependabot authors to do this via pull request?

If I remove package-lock.json from source control, will that properly resolve package-lock.json-indiced vulnerabilities (because the file no longer exists to trick someone into installing old vulnerable versions of my dependencies)? Or will it just render the vulnerability scanners unable to scan my repo (i.e. do they rely on package-lock.json instead of resolving dependencies themselves from package.json) and make me not know when I need to npm update?

Perforate answered 14/8, 2020 at 4:10 Comment(3)
Does this answer your question? What is the role of the package-lock.json?Southwesterly
Not quite. It gives some insight into how package-lock.json was supposed to be used for syncing up developers' machines (which now no longer happens by default with npm install), how it is used for CI, and how you can use it to go back in time. It mentions it being used for packaging releases with all modules included, so I suppose if you release like that instead of just on NPM the vulnerability scanners can help you. But it doesn't give insight into why upping module versions is important enough for all projects to merit a Github-integrated bot.Perforate
I am looking for an answer to this question as well. GitHub security bots keep bumping versions in package-lock.json while package.json remains at the same version and says vulnerabilities are gone. How does this even work?Euterpe

© 2022 - 2024 — McMap. All rights reserved.