Unpinned dependency version
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
package.json declares a dependency with '*' or 'latest' as its version, which can silently pull in breaking or malicious updates.
Why it matters
A dependency pinned to '*' or 'latest' resolves to whatever the registry serves on install day, so a fresh clone or CI run can pull a breaking release or a hijacked package version without any change in your repo. Supply-chain attacks specifically target projects that auto-adopt new versions. Lockfiles help, but only where they exist and are honored.
How to fix it
Replace '*' and 'latest' in package.json with a caret range for the version you actually run: check the lockfile or node_modules for the installed version, then write ^x.y.z. Commit the refreshed lockfile. Pair pinning with npm audit or a dependency update bot so versions do not go stale.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo