Node.js offers various package managers—npm, Yarn, PNPM, Bun—that produce lockfiles. CybeDefend’s SCA scanner relies on these files to accurately identify your app’s dependencies.

Lockfile Examples

  1. npm: package-lock.json or npm-shrinkwrap.json
  2. Yarn: yarn.lock
  3. PNPM: pnpm-lock.yaml, pnpm-lock.yml
  4. Bun: bun.lock, bun.lockb

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

  1. Install Dependencies
    e.g., npm install, yarn install, or pnpm install.
  2. Commit the Generated Lockfile
    This ensures your entire dev team and CybeDefend use identical dependencies.
  3. Avoid Manual Edits
    Let the package manager handle the lockfile; do not modify it by hand.

Supported Files for Node

File Examples
npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml, bun.lock, bun.lockb, deno.lock, libman.json, package.json, package-lock.json

Pin or lock versions in dependencies rather than devDependencies if you want to ensure full coverage for production packages.