Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 1

lock files and security

My manager just came up to me and said: Is there any reason why you guys are committing .lock files to your repositories?

 

We tried to tell him what those lock files are for, but he kept saying we should just trust on minor versions... It is not secure to put .lock files in your repo, and people just don't run composer update for long times and then we don't get all needed security updates...

 

I would very much like to know what other developers have to say about this. Do you also think we should just forget about lock files and just fix all the issues every time you run composer update or yarn u pdate or npm update or whatever you use... ?

 

He send me this link also, but I am still not convinced that that should be a reason to not use .lock files anymore...

https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

 

Please let me know what you people think.