Why Lockfiles Matter for Supply Chain Security

Lockfiles play a vital role in securing the software supply chain through consistent dependency management. They specify the exact versions of dependencies used, ensuring reproducibility and avoiding unexpected changes.

In a fast-paced development environment filled with open-source libraries and third-party packages, lockfiles act as a defense against supply chain attacks. By locking dependencies to specific versions, they prevent automatic updates to potentially compromised versions.

Many development teams overlook lockfiles, failing to utilize their full potential. This article highlights the importance of lockfiles in ensuring software project integrity and security.

Understanding Lockfiles

Lockfiles are files that capture the exact versions of each dependency and their sub-dependencies in a project. They ensure uniformity in dependency versions across all instances of a project, preventing "dependency hell" and potential security risks.

Lock files are different for each language and can differ depending on frameworks but generally follow similar formats.

Javascript - yarn.lock

lodash@^4.17.15:
  version "4.17.21"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#acfcd7438b5d260f06a1d052c2a3b32ddc91c6b8"
  integrity sha512-v2kDE6syb5rK+X8bykjh3W7n4P3NV8axFypa8DwO8DK+RVZk9vft6xEhjxzIlc6DCwCPkMKSk4eQF6QNHOu9pw==

react@^17.0.1:
  version "17.0.2"
  resolved "https://registry.yarnpkg.com/react/-/react-17.0.2.tgz#cdc8d94b0d7091f440c51d1427ff2a3d6e14e664"
  integrity sha512-y8vQ43+qMOpbD/3k1Vw4E4i4UgFqxMwI0AZc5fxyIfZK4kHRZ5Klg5zh/5Nq1Nk3JZqf6byFAkyoGZkbSnYt9w==

Python - poetry.lock

[[package]]
name = "requests"
version = "2.25.1"
description = "Python HTTP for Humans."
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"

[package.dependencies]
certifi = ">=2017.4.17"
chardet = ">=3.0.2,<5"
idna = ">=2.5,<3"
urllib3 = ">=1.21.1,<1.27"

This entry specifies the package name (click), the accepted hashes, and the exact version (8.0.3). Such specificity ensures consistent installations across development, testing, and production environments.

Package managers generate lockfiles during dependency installation or updates. It's essential to commit these files to version control with the project’s source code. This practice ensures that all project contributors use identical dependencies, reducing inconsistencies and making builds more predictable.

Different languages and package managers have their own lockfile formats: Node.js uses package-lock.json for npm, Python uses Pipfile.lock for Pipenv, and Ruby uses Gemfile.lock for Bundler. Using lockfiles helps maintain a consistent and secure project foundation, reducing risks associated with dependency management.

Defending Against Supply Chain Attacks

Supply chain attacks on open-source dependencies are increasingly common. Attackers might compromise a popular library, injecting malicious code that spreads to dependent projects. Lockfiles provide a strong defense against these attacks.

By specifying exact dependency versions, lockfiles prevent automatic updates to potentially compromised versions. This is crucial when vulnerabilities are identified in dependencies. With lockfiles, projects remain stable with known secure versions until the team decides to update after thorough testing.

Below is an example of a package-lock.json file used in Node.js projects to lock specific dependency versions. This ensures that everyone working on the project installs the exact same versions, promoting consistency and security.

{
  "name": "my-project",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "my-project",
      "version": "1.0.0",
      "dependencies": {
        "lodash": "4.17.21",
        "axios": "0.21.1"
      }
    },
    "node_modules/lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-v2kDE6syb5rK+X8bykjh3W7n4P3NV8axFypa8DwO8DK+RVZk9vft6xEhjxzIlc6DCwCPkMKSk4eQF6QNHOu9pw=="
    },
    "node_modules/axios": {
      "version": "0.21.1",
      "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",
      "integrity": "sha512-pbkHfFgC6F4ltGeoyTeHRtUkZo/FZ9EoElV3MzDLeO2uYxLqGm6Qcbx93jUOJISyYSC/tzjK4NHH3MAYsDKUTA==",
      "dependencies": {
        "follow-redirects": "^1.10.0"
      }
    },
    "node_modules/follow-redirects": {
      "version": "1.14.1",
      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
      "integrity": "sha512-0gh4nEbdUdDra9mJKpAB+Y4gG61sQiKsbiqS8c5LEnFOh8fbov3/xp0FnWE2+IxKTozhJSdEV8ujvQjU+Ub3dg=="
    }
  },
  "dependencies": {
    "lodash": {
      "version": "4.17.21",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-v2kDE6syb5rK+X8bykjh3W7n4P3NV8axFypa8DwO8DK+RVZk9vft6xEhjxzIlc6DCwCPkMKSk4eQF6QNHOu9pw=="
    },
    "axios": {
      "version": "0.21.1",
      "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",
      "integrity": "sha512-pbkHfFgC6F4ltGeoyTeHRtUkZo/FZ9EoElV3MzDLeO2uYxLqGm6Qcbx93jUOJISyYSC/tzjK4NHH3MAYsDKUTA==",
      "requires": {
        "follow-redirects": "^1.10.0"
      }
    },
    "follow-redirects": {
      "version": "1.14.1",
      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
      "integrity": "sha512-0gh4nEbdUdDra9mJKpAB+Y4gG61sQiKsbiqS8c5LEnFOh8fbov3/xp0FnWE2+IxKTozhJSdEV8ujvQjU+Ub3dg=="
    }
  }
}

What This File Does

• Locks Specific Versions:
  It locks lodash at version 4.17.21 and axios at 0.21.1. No matter when or where you install this project, these exact versions will be used—preventing accidental updates to versions that may contain breaking changes or security issues.
• Captures Dependency Tree:
  It includes nested dependencies, like follow-redirects, which is used internally by axios.
• Supports Security Tools:
  Tools like Aikido use this lockfile to scan for known vulnerabilities. Since the file contains resolved URLs and version hashes, scanners can:
  • Precisely identify risky packages.
  • Recommend patched or safe alternatives.
  • Track changes to dependencies over time.

Risks of Ignoring Lockfiles

Neglecting lockfiles can destabilize and compromise software projects. Without lockfiles, dependency versions may vary across environments, leading to inconsistencies that complicate debugging. These variations can cause elusive bugs, delaying projects and increasing maintenance burdens.

Without a lockfile, tracking dependencies becomes challenging. The absence of a clear record makes it difficult to determine which versions are used, complicating supply chain management. In the event of a vulnerability, developers struggle to identify risky dependencies quickly, delaying response times.

Automatic updates pose significant risks when lockfiles are absent. Uncontrolled updates can introduce compromised packages, exposing projects to security breaches. Even reputable libraries can harbor hidden threats, making lockfile oversight crucial for maintaining a secure codebase.

Best Practices for Using Lockfiles

Integrate lockfiles into your development workflow to fully benefit from them. Including lockfiles in version control establishes a single source of truth for dependencies, promoting a consistent development environment. This approach reduces unwanted variations and enhances production reliability.

Regularly updating and reviewing lockfiles is vital for early threat detection. This proactive strategy helps teams address vulnerabilities quickly, maintaining a strong security posture. Utilize tools for continuous dependency assessment to automate risk detection within the software supply chain.

Anchoring dependencies to specific versions in manifest files adds security. This practice complements lockfiles and serves as a safety net in case of discrepancies. Educating development teams about the importance of lockfiles reinforces diligent dependency management, enhancing overall security.

Keeping Dependencies Updated with Lockfiles

Keeping dependencies current requires combining automation with thorough review. Routine lockfile updates should be part of development cycles, incorporating the latest enhancements and security fixes while preserving consistency. Regular updates minimize unexpected interruptions and strengthen security.

Automated tools like Dependabot help manage updates by generating pull requests for new dependency versions. These tools provide continuous monitoring, enabling timely updates and allowing teams to focus on other tasks. However, it’s crucial to review changes to ensure they meet project needs and avoid issues.

Developing a manual lockfile update process is also essential. Deploy updated dependencies in a test environment to assess impact and compatibility. This approach prevents disruptions and maintains coherence, minimizing risks from frequent version changes.

Incorporating lockfiles into your development process strengthens your software supply chain against evolving security threats. Adopting best practices and fostering dependency awareness within your team are key to maintaining a robust codebase. Ready to enhance your supply chain security? Start for free with Aikido and simplify your security journey.