SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

DEP01 Unpinned Dependencies

What this means

SiteShadow found dependencies specified without exact version pins (or without a lockfile), which can cause your build to pull different code over time.

Why it matters

Unpinned dependencies can introduce breaking changes or supply-chain risk without warning.

Safer examples

1) Commit lockfiles

2) Pin versions (or use ranges + lockfile)

{
  "dependencies": {
    "express": "4.18.3"
  }
}

3) Automate updates safely

Use Renovate/Dependabot with review + CI, so updates are deliberate and visible.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.