gitDependency

Rendered from docs/alerts/gitDependency.md

Back to index

gitDependency

Flags dependencies that resolve to a git/GitHub URL (or shorthand) instead of an immutable npm tarball.

Implemented in: src/lib/detection/plugins/git-http-dependency.ts
Enabled by default: no (available plugin; enable in the detection service/plugin set)

What it means

package.json contains a dependency specifier like:

  • git+https://...
  • git@github.com:...
  • github:user/repo
  • https://github.com/user/repo

Why it matters

Git/GitHub dependencies reduce reproducibility and can change after you’ve shipped. They also bypass typical registry controls.

What to do

  • Prefer published packages (public or private registry) over git URLs.
  • If you must use git, pin to a commit hash and review update process.
  • Audit for unexpected git deps in transitive dependencies.

Common fields

  • filePath: package.json
  • metadata.dependencyName, metadata.dependencyVersion, metadata.depType, metadata.url