lintai docs

Appearance

Rule Reference

SEC756lintai-dep-vulnsadvisorysecuritypreviewworkspacewarn

Dependency vulnerability: installed npm package version

Installed npm dependency version matches an offline vulnerability advisory

Public lane
advisory
Category
security
Provider
lintai-dep-vulns
Scope
workspace
Surface
workspace
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
suggestion
How to read this lane

Installed-package advisory review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

advisorysidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Initial advisory snapshot coverage is intentionally small in the first release and needs broader snapshot discipline before Stable.

Promotion requirements

Needs larger advisory snapshot coverage, cross-lockfile corpus proof, and stable review of package/version matching before promotion to Stable.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC401Policy mismatch: executionProject policy forbids execution, but repository contains executable behaviorcompatauditworkspace
SEC402Policy mismatch: network accessProject policy forbids network access, but repository contains network behaviorcompatauditworkspace
SEC403Skill capabilities mismatchSkill frontmatter capabilities conflict with project policycompatauditworkspace

Why It Matters

Committed lockfiles describe the exact dependency versions that a workspace installs. When an installed npm package version matches a known offline advisory, the repository is carrying a concrete supply-chain risk rather than just a loose manifest smell.

What Triggers

SEC756 scans committed package-lock.json, npm-shrinkwrap.json, and pnpm-lock.yaml files and matches installed npm package versions against the active offline advisory snapshot, which is bundled by default with lintai-dep-vulns.

False Positives

This first release is intentionally narrow. It only reports package versions that match deterministic affected-version ranges from the active offline advisory snapshot, and it does not guess from package.json ranges or use live network lookups during scan.

If a committed lockfile records an advisory-tracked package with an invalid installed version string, the advisory provider fails closed with a runtime error instead of silently skipping that package.

Remediation

Upgrade the affected package to a non-vulnerable version recorded in the relevant advisory, regenerate the lockfile, and review any transitive dependency path that keeps the vulnerable version installed.