Merged
Conversation
Gudahtt
force-pushed
the
add-guideline-about-not-using-npx
branch
from
294ace1 to
2693171
Compare
The secure coding guidelines have been updated to ask contributors not to use `npx` and `yarn dlx`, because they don't update the lockfile and leave us more vulnerable to supply-chain attacks.
Gudahtt
force-pushed
the
add-guideline-about-not-using-npx
branch
from
2693171 to
ac88f40
Compare
Mrtenz
approved these changes
Jan 6, 2026
Gudahtt
commented
Jan 6, 2026
| #### Dependency Integrity | ||
|
|
||
| - Use a lockfile or pinned dependencies to maintain control over which version of each dependency is used | ||
| - Use a lockfile to maintain control over which version of each dependency is used |
Member
Author
There was a problem hiding this comment.
I removed "or pinned dependencies" because pinning dependencies is not an acceptable alternative to using a lockfile.
Pinning makes sense to do in some situations, but we should always have a lockfile.
cryptodev-2s
approved these changes
Jan 6, 2026
Contributor
cryptodev-2s
left a comment
cryptodev-2s
left a comment
There was a problem hiding this comment.
LGTM! Maybe also mention pnpm dlx for completeness, same idea as npx/yarn dlx, and we’re documenting that pattern as “don’t use.”
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The secure coding guidelines have been updated to ask contributors not to use
npxandyarn dlx, because they don't update the lockfile and leave us more vulnerable to supply-chain attacks.Note
Strengthens dependency management guidance in
docs/secure-coding-guidelines.md.Dependency Integrity: use a lockfile (not pinned ranges) to control dependency versionsnpxoryarn dlx, with rationale that they bypass the lockfile and increase supply-chain riskWritten by Cursor Bugbot for commit ac88f40. This will update automatically on new commits. Configure here.