Practise supply chain security vocabulary: pinning versions, integrity hashes, dependency audits, reading npm audit output, and SBOM language in professional English.
0 / 5 completed
1 / 5
A developer says: 'We should pin the version of that library.' What does this mean in practice?
Pinning means using an exact version string like '4.17.21' rather than a range like '^4.17.21'. This prevents the package manager from automatically installing a newer (potentially compromised) version. Pinning is combined with a lockfile for full reproducibility.
2 / 5
After running 'npm audit', the output reads: 'found 5 vulnerabilities (2 moderate, 2 high, 1 critical)'. What should the team prioritise first?
Critical vulnerabilities represent the highest severity level and should be addressed first. 'npm audit fix' can auto-resolve some; others require manual version upgrades. The severity levels in npm audit are: low → moderate → high → critical.
3 / 5
What is an 'integrity hash' in a lockfile (package-lock.json)?
The integrity field (e.g. sha512-abc123...) in package-lock.json is a cryptographic fingerprint of the exact tarball npm downloaded. On the next install, npm re-downloads and re-checks the hash — if they don't match, installation is aborted, protecting against tampering.
4 / 5
A security engineer asks for an SBOM before approving the deployment. What document are they requesting?
A Software Bill of Materials (SBOM) is a structured inventory of all software components — direct and transitive. It enables vulnerability tracking, licence compliance checking, and is increasingly required by governments and enterprises as part of supply chain security policy.
5 / 5
A vulnerability report states: 'CVE-2023-44487 affects an indirect dependency of your project.' This is an example of:
A transitive (indirect) vulnerability means your code doesn't import the vulnerable package directly, but one of your direct dependencies does. It is still your responsibility to mitigate — update the direct dependency to a version that uses a patched transitive dependency, or force-override the version if the package manager supports it.