Skip to content

feat: Add guidance about npx/yarn dlx #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Gudahtt merged 1 commit into from
Jan 6, 2026
Merged

feat: Add guidance about npx/yarn dlx #162

Gudahtt merged 1 commit into from
Jan 6, 2026

Conversation

@Gudahtt
Copy link
Member

@Gudahtt Gudahtt commented Jan 6, 2026
edited by cursor bot
Loading

The secure coding guidelines have been updated to ask contributors not to use npx and yarn dlx, because they don't update the lockfile and leave us more vulnerable to supply-chain attacks.

Note

Strengthens dependency management guidance in docs/secure-coding-guidelines.md.

  • Clarifies Dependency Integrity: use a lockfile (not pinned ranges) to control dependency versions
  • Adds rule to not use npx or yarn dlx, with rationale that they bypass the lockfile and increase supply-chain risk

Written by Cursor Bugbot for commit ac88f40. This will update automatically on new commits. Configure here.

@Gudahtt Gudahtt requested a review from a team as a code owner January 6, 2026 20:51
@Gudahtt Gudahtt marked this pull request as draft January 6, 2026 20:51
@Gudahtt Gudahtt force-pushed the add-guideline-about-not-using-npx branch from 294ace1 to 2693171 Compare January 6, 2026 20:52
@Gudahtt
feat: Add guidance about npx/yarn dlx
ac88f40 
The secure coding guidelines have been updated to ask contributors not
to use `npx` and `yarn dlx`, because they don't update the lockfile and
leave us more vulnerable to supply-chain attacks.
@Gudahtt Gudahtt force-pushed the add-guideline-about-not-using-npx branch from 2693171 to ac88f40 Compare January 6, 2026 20:54
@Gudahtt Gudahtt marked this pull request as ready for review January 6, 2026 20:55
Gudahtt
Gudahtt commented Jan 6, 2026
View reviewed changes
docs/secure-coding-guidelines.md
#### Dependency Integrity

- Use a lockfile or pinned dependencies to maintain control over which version of each dependency is used
- Use a lockfile to maintain control over which version of each dependency is used
Copy link
Member Author

@Gudahtt Gudahtt Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed "or pinned dependencies" because pinning dependencies is not an acceptable alternative to using a lockfile.

Pinning makes sense to do in some situations, but we should always have a lockfile.

@Gudahtt Gudahtt merged commit 2a349ff into main Jan 6, 2026
8 checks passed
@Gudahtt Gudahtt deleted the add-guideline-about-not-using-npx branch January 6, 2026 21:07
cryptodev-2s
cryptodev-2s approved these changes Jan 6, 2026
View reviewed changes
Copy link
Contributor

@cryptodev-2s cryptodev-2s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Maybe also mention pnpm dlx for completeness, same idea as npx/yarn dlx, and we’re documenting that pattern as “don’t use.”

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mrtenz Mrtenz Mrtenz approved these changes

@cryptodev-2s cryptodev-2s cryptodev-2s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Gudahtt @Mrtenz @cryptodev-2s