
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Before you can secure a supply chain, you must know exactly what's in it. This process starts with dependency enumeration.
package.json, requirements.txt): Define high-level requirements, often using ranges (e.g., ^1.2.0).package-lock.json, yarn.lock, poetry.lock): Record the exact* version of every direct and transitive dependency used in a specific build.From a security perspective, lockfiles are the source of truth. They ensure that every developer and build server is using the exact same code, preventing "it works on my machine" bugs and, more importantly, protecting against malicious updates that might sneak in if versions aren't pinned.
App
├── Auth-Lib (v2.1.0)
│ └── Utility-JS (v1.0.5) <--- Vulnerable!
┒── UI-Kit (v3.0.0)Utility-JS, but because Auth-Lib depends on it, you are vulnerable. SCA tools excel at tracing these relationships to find the "root cause" of a risk.Which file type records the EXACT version of every dependency?
In security, manifest files are useful, but what is the "source of truth"?
What hierarchical representation helps visualize relationships?
Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}