httpDependency

Rendered from docs/alerts/httpDependency.md

Back to index

httpDependency

Flags dependencies that resolve to remote HTTP(S) URLs (tarballs or other external downloads) instead of an immutable npm version.

Implemented in: src/lib/detection/plugins/git-http-dependency.ts
Enabled by default: no (available plugin; enable in the detection service/plugin set)

What it means

package.json contains a dependency specifier like https://example.com/pkg.tgz.

Why it matters

HTTP dependencies can change without versioning and can bypass registry scanning and integrity protections.

What to do

  • Publish the dependency to a registry and depend on a version instead.
  • If unavoidable, verify integrity (hash pinning) and control the hosting endpoint.
  • Treat unexpected HTTP deps as suspicious, especially for runtime dependencies.

Common fields

  • filePath: package.json
  • metadata.dependencyName, metadata.dependencyVersion, metadata.depType, metadata.url