DEP01 Unpinned Dependencies

What this means

SiteShadow found dependencies specified without exact version pins (or without a lockfile), which can cause your build to pull different code over time.

Why it matters

Unpinned dependencies can introduce breaking changes or supply-chain risk without warning.

Reproducibility breaks: CI/builds become "works on my machine."
Unexpected vulnerabilities: you may pull a compromised or vulnerable release.
Emergency rollbacks get harder when the exact dependency set isn't known.

Safer examples

1) Commit lockfiles

package-lock.json / pnpm-lock.yaml / yarn.lock
poetry.lock / Pipfile.lock
Gemfile.lock

2) Pin versions (or use ranges + lockfile)

{
  "dependencies": {
    "express": "4.18.3"
  }
}

3) Automate updates safely

Use Renovate/Dependabot with review + CI, so updates are deliberate and visible.

How SiteShadow detects it (high level)

Parses dependency manifests for broad ranges (*, latest, unbounded >=) and missing lockfiles.
Flags dependency specs that make builds non-reproducible or high-risk.

References

OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library

Request access View coverage