missing-or-ignored-dependency-lockfilelisted

Detects projects where lockfiles are missing or ignored in version control, allowing non-deterministic builds with potentially different dependency versions.
zakirkun/ice-tea · ★ 33 · Data & Documents · score 72

Install: claude install-skill zakirkun/ice-tea

# Missing or Ignored Dependency Lockfile ## Overview Lockfiles (`package-lock.json`, `yarn.lock`, `Pipfile.lock`, `go.sum`, `Gemfile.lock`) pin exact dependency versions. Without them, `npm install` may install newer versions that introduce vulnerabilities or malicious code. Gitignoring lockfiles in application projects is a security anti-pattern. ## Remediation - Commit lockfiles to version control for all application projects - Use `npm ci` instead of `npm install` in CI/CD - Verify lockfile integrity in CI with `--frozen-lockfile`