Kuba Gretzky pushes strict lockfile usage, saying package-lock.json is the only version locking enforcement mechanism and recommending npm ci over npm install.
Today is another package-lock.json appreciation day!
Make sure you always commit your project with the package-lock.json file.
It is the ONLY version locking enforcement mechanism.
Use npm ci instead of npm install.
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.
← Back to Cyber Security