Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP0 — correctness, security, data loss, prod-impactingScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

fullstack ruleP0universalStack: general

supply-chaindependenciescireproducible-buildslockfileowasp-a06

Pin transitive dependencies with a committed lockfile and frozen installs in CI

Always commit the lockfile and use frozen/locked installs in CI and image builds so the exact dependency tree is reproducible and not re-resolved at deploy time.

PR: owasp-security-canonCreated: Jun 17, 2026

Bad example

Old codejson

1	`# Dockerfile / CI step`
2	`COPY package.json ./`
3	`RUN npm install # re-resolves every ^range from the registry`
4
5	`# or: pnpm-lock.yaml is .gitignored, so installs float freely`
6	`# .gitignore`
7	`pnpm-lock.yaml`

Explanation (EN)

`npm install` (or `pnpm install` without a lockfile) re-resolves caret ranges against the live registry at build time, so two builds of the same commit can pull different transitive versions — including a freshly published malicious patch. Ignoring the lockfile removes the only record of the audited tree.

Objašnjenje (HR)

`npm install` (ili `pnpm install` bez lockfilea) ponovno razrjesava caret raspone prema zivom registryju pri buildu, pa dva builda istog commita mogu povuci razlicite tranzitivne verzije — ukljucujuci tek objavljeni zlonamjerni patch. Ignoriranje lockfilea uklanja jedini zapis revidiranog stabla.

Good example

New codejson

1	`# Commit pnpm-lock.yaml (NOT gitignored)`
2
3	`# Dockerfile / CI step — fail if lockfile is stale or missing`
4	`COPY package.json pnpm-lock.yaml ./`
5	`RUN pnpm install --frozen-lockfile`
6
7	`# npm equivalent: RUN npm ci`
8	`# yarn equivalent: RUN yarn install --immutable`

Explanation (EN)

`pnpm install --frozen-lockfile` (npm `ci`, yarn `--immutable`) installs the exact tree recorded in the committed lockfile and errors out if `package.json` and the lockfile have drifted, guaranteeing the deployed dependency set equals the one that was reviewed and audited.

Objašnjenje (HR)

`pnpm install --frozen-lockfile` (npm `ci`, yarn `--immutable`) instalira tocno stablo zapisano u commitanom lockfileu i puca ako su `package.json` i lockfile razisli, jamcei da je deployani set ovisnosti jednak onome koji je pregledan i revidiran.

Exceptions / Tradeoffs (EN)

Local exploratory work where you intentionally add/upgrade packages uses a normal install (which updates the lockfile). The frozen/immutable flag is for CI, image builds, and any non-interactive deploy path.

Iznimke / Tradeoffi (HR)

Lokalni eksperimentalni rad gdje namjerno dodajes/nadograduješ pakete koristi obican install (koji azurira lockfile). Frozen/immutable zastavica je za CI, buildove slika i svaki neinteraktivni deploy.

Login required