lockfile
Safeguard articles tagged "lockfile" — guides, analysis, and best practices for software supply chain and application security.
4 articles
node-ipc Compromised Again (14 May 2026): An 80 KB Credential Stealer in a 10M-Download Library
On 14 May 2026, three malicious node-ipc versions (9.1.6, 9.2.3, 12.0.1) shipped an 80 KB credential-stealing IIFE appended after module.exports in the CJS bundle — no install scripts, harvesting 90+ secret categories from a library with 10M+ weekly downloads.
What Is a Lockfile?
A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.
Bundler Lockfile Security Practices
How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.
npm Lockfile Injection Attacks: How Tampered package-lock.json Files Compromise Builds
Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.