Skip to content

security: dependency version pinning — loose caret ranges allow silent vulnerability introduction #10

Open
Open
security: dependency version pinning — loose caret ranges allow silent vulnerability introduction#10
Labels
securitySecurity vulnerability or concern
@SippieCup

Description

@SippieCup
SippieCup
opened on Mar 7, 2026

Severity

Low

Description

package.json uses caret (^) ranges for dependencies, meaning any future minor or patch update is automatically accepted. If a dependency introduces a vulnerability in a minor/patch release, it will be silently pulled in for users who run npm install / pnpm install without a lockfile.

From package.json:

"dependencies": {
  "@semantic-release/error": "^4.0.0"
},
"peerDependencies": {
  "semantic-release": ">=20"
}

Risk

  • Supply-chain attacks via compromised transitive dependencies
  • Reproducibility issues: two installs at different times may use different dependency versions
  • No automated notification when dependencies have known CVEs

Recommended Fix

  1. Add Dependabot or Renovate to automatically open PRs when dependencies have updates or known vulnerabilities
  2. Add a pnpm audit step to CI that fails on high/critical CVEs
  3. Consider tightening to ~ (tilde) ranges for production dependencies to limit to patch updates only

Add to .github/workflows/ (example for Dependabot):

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "security"

And add to CI:

- name: Audit dependencies
  run: pnpm audit --audit-level=high

AI Fix Prompt

Set up automated dependency security monitoring for this repository.

Changes needed:
1. Create .github/dependabot.yml that configures Dependabot to check npm dependencies weekly and apply the "security" label to its PRs.
2. In the existing CI workflow file (check .github/workflows/ for the current workflow), add a step that runs "pnpm audit --audit-level=high" after dependency installation. This step should fail the build if any high or critical vulnerabilities are found.
3. Do not change dependency version ranges in package.json — leave that decision to the maintainer.
4. Keep the dependabot.yml minimal — just ecosystem, directory, schedule, and labels.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or concern

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions