Missing lockfile - Alert - Socket

Severity

Short Description

A manifest file was found without a corresponding lockfile. Without a lockfile, dependency resolution is non-deterministic and may resolve to different (potentially malicious) versions across installs.

Suggestion

Add a lockfile (e.g. package-lock.json, yarn.lock, Gemfile.lock, poetry.lock) to your repository and commit it to version control. This ensures deterministic dependency resolution and protects against supply chain attacks.