Pin and verify dependency integrity with a lockfile

Pin and verify dependency integrity with a lockfile | BeforeMerge Rules | BeforeMerge

Why this matters

Without a committed lockfile, builds resolve dependency versions non-deterministically and skip integrity hashes, opening the door to supply-chain tampering. npm ci installs the exact, hash-verified tree from the lockfile.

# Bad: floating versions, no integrity check
npm install
 
# Good: deterministic, integrity-verified install
npm ci

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters