Will It Vibe?
SEC-019Medium severity-8 points

Unpinned dependency version

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

package.json declares a dependency with '*' or 'latest' as its version, which can silently pull in breaking or malicious updates.

Why it matters

A dependency pinned to '*' or 'latest' resolves to whatever the registry serves on install day, so a fresh clone or CI run can pull a breaking release or a hijacked package version without any change in your repo. Supply-chain attacks specifically target projects that auto-adopt new versions. Lockfiles help, but only where they exist and are honored.

How to fix it

Replace '*' and 'latest' in package.json with a caret range for the version you actually run: check the lockfile or node_modules for the installed version, then write ^x.y.z. Commit the refreshed lockfile. Pair pinning with npm audit or a dependency update bot so versions do not go stale.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks