Pro Content
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Learning Objectives
- Perform dependency enumeration
- Analyze lockfiles for version pinning
- Identify vulnerable transitive chains
Dependency Enumeration & Lockfiles
Before you can secure a supply chain, you must know exactly what's in it. This process starts with dependency enumeration.
Manifests vs. Lockfiles
Most package managers use two types of files:
* Manifests (e.g.,
package.json, requirements.txt): Define high-level requirements, often using ranges (e.g., ^1.2.0).Lockfiles (e.g.,
package-lock.json, yarn.lock, poetry.lock): Record the exact* version of every direct and transitive dependency used in a specific build.From a security perspective, lockfiles are the source of truth. They ensure that every developer and build server is using the exact same code, preventing "it works on my machine" bugs and, more importantly, protecting against malicious updates that might sneak in if versions aren't pinned.
Visualizing the Tree
A "dependency tree" is a hierarchical representation of your components.
Text
text
App
├── Auth-Lib (v2.1.0)
│ └── Utility-JS (v1.0.5) <--- Vulnerable!
┒── UI-Kit (v3.0.0)In this example, your app isn't directly using
Utility-JS, but because Auth-Lib depends on it, you are vulnerable. SCA tools excel at tracing these relationships to find the "root cause" of a risk.Answer the Questions0 / 3 completed
Which file type records the EXACT version of every dependency?
In security, manifest files are useful, but what is the "source of truth"?
What hierarchical representation helps visualize relationships?
Interactive Sandbox
Submit Flag
Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}