You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The secure coding guidelines have been updated to ask contributors not
to use `npx` and `yarn dlx`, because they don't update the lockfile and
leave us more vulnerable to supply-chain attacks.
Copy file name to clipboardExpand all lines: docs/secure-coding-guidelines.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,7 +121,9 @@ The guidelines in this policy were gathered primarily from the [OWASP Top 10](ht
121
121
122
122
#### Dependency Integrity
123
123
124
-
- Use a lockfile or pinned dependencies to maintain control over which version of each dependency is used
124
+
- Use a lockfile to maintain control over which version of each dependency is used
125
+
- Do not use `npx` or `yarn dlx`
126
+
- These commands do not update the lockfile, so we have no control over which versions are installed. This leaves us vulnerable to supply-chain attacks.
0 commit comments