lintai docs

Appearance

Rule Reference

SEC756lintai-dep-vulnspreviewworkspacewarn

Dependency vulnerability: installed npm package version

Installed npm dependency version matches an offline vulnerability advisory

Provider
lintai-dep-vulns
Surface
workspace
Scope
workspace
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
suggestion

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

advisorymembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Initial advisory snapshot coverage is intentionally small in the first release and needs broader snapshot discipline before Stable.

Promotion requirements

Needs larger advisory snapshot coverage, cross-lockfile corpus proof, and stable review of package/version matching before promotion to Stable.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC401Policy mismatch: executionProject policy forbids execution, but repository contains executable behaviorworkspacepreview
SEC402Policy mismatch: network accessProject policy forbids network access, but repository contains network behaviorworkspacepreview
SEC403Skill capabilities mismatchSkill frontmatter capabilities conflict with project policyworkspacepreview

Why It Matters

Committed lockfiles describe the exact dependency versions that a workspace installs. When an installed npm package version matches a known offline advisory, the repository is carrying a concrete supply-chain risk rather than just a loose manifest smell.

What Triggers

SEC756 scans committed package-lock.json, npm-shrinkwrap.json, and pnpm-lock.yaml files and matches installed npm package versions against the active offline advisory snapshot, which is bundled by default with lintai-dep-vulns.

False Positives

This first release is intentionally narrow. It only reports package versions that match deterministic affected-version ranges from the active offline advisory snapshot, and it does not guess from package.json ranges or use live network lookups during scan.

If a committed lockfile records an advisory-tracked package with an invalid installed version string, the advisory provider fails closed with a runtime error instead of silently skipping that package.

Remediation

Upgrade the affected package to a non-vulnerable version recorded in the relevant advisory, regenerate the lockfile, and review any transitive dependency path that keeps the vulnerable version installed.