@gitlab/untamper-my-lockfile
v2.3.0
Published
Checks if yarn.lock has been tampered with
Downloads
87
Maintainers
Keywords
Readme
untamper-my-lockfile
A tool for checking if yarn.lock
was tampered with.
IMPORTANT: Do not rename the CI template .gitlab-ci-template.yml
or change the visibility of this project. Doing so would break the CI pipelines of projects that "include:" the CI template.
Why
The content of yarn.lock
can be manipulated to resolve a declared dependency to an alternative, attacker-controlled dependencies.
This tool prevents such an attack scenario by checking that dependencies in yarn.lock
are resolved correctly.
Usage
GitLab CI
Please see our instructions in ./templates.
Locally
The safest variant is running this tool in docker:
docker run --volume "$(pwd)/yarn.lock:/tmp/yarn.lock" --rm \
registry.gitlab.com/gitlab-org/frontend/untamper-my-lockfile:main \
untamper-my-lockfile --lockfile /tmp/yarn.lock
Otherwise you need node@10 or newer.
yarn global add '@gitlab/untamper-my-lockfile'
untamper-my-lockfile --lockfile yarn.lock
How it works
In Yarn 1, each entry in yarn.lock
is of the form:
dependency@semver:
version: x.y.z
resolved "https://registry.yarnpkg.com/..."
integrity "hash"
In Yarn 2+, each entry is in YAML form:
"dependency@npm:semver, dependecy@npm:~semver2":
version: x.y.z
resolution: "dependency@npm:x.y.z"
checksum: abcdef123...
This tool iterates over each entry in the lockfile and does:
- Retrieve the package (
dependency
) information information from https://registry.npmjs.org - If the version
x.y.z
doesn't exist on the registry => Warning - If the
resolved
URL orintegrity
hashes do not match against what is published on the registry => Error