Dependency Pinning
What is Dependency Pinning?
Dependency PinningThe practice of declaring software dependencies at exact versions, often combined with cryptographic hashes, so that builds always consume the same artifacts and resist supply-chain tampering.
Dependency pinning replaces loose version ranges (e.g. "^1.0.0") with exact versions and, ideally, cryptographic digests in a lockfile (package-lock.json, poetry.lock, Pipfile.lock, Gemfile.lock, go.sum, Cargo.lock). Builds then become reproducible and resistant to silent upgrades, dependency confusion, typosquatting, and compromised package versions. Modern practice also pins GitHub Actions and other CI plugins to commit SHAs rather than mutable tags. Pinning must be paired with active vulnerability monitoring (SCA, GitHub Dependabot, Renovate) so that patches still flow in, otherwise pinned applications grow stale and accumulate CVEs. Hash-pinning is a key control referenced by SLSA, NIST SSDF, OWASP, and reproducible-builds initiatives.
● Examples
- 01
Pinning all third-party GitHub Actions to commit SHAs instead of v3 tags.
- 02
Using pip --require-hashes with a fully hashed requirements.txt in CI.
● Frequently asked questions
What is Dependency Pinning?
The practice of declaring software dependencies at exact versions, often combined with cryptographic hashes, so that builds always consume the same artifacts and resist supply-chain tampering. It belongs to the Application Security category of cybersecurity.
What does Dependency Pinning mean?
The practice of declaring software dependencies at exact versions, often combined with cryptographic hashes, so that builds always consume the same artifacts and resist supply-chain tampering.
How does Dependency Pinning work?
Dependency pinning replaces loose version ranges (e.g. "^1.0.0") with exact versions and, ideally, cryptographic digests in a lockfile (package-lock.json, poetry.lock, Pipfile.lock, Gemfile.lock, go.sum, Cargo.lock). Builds then become reproducible and resistant to silent upgrades, dependency confusion, typosquatting, and compromised package versions. Modern practice also pins GitHub Actions and other CI plugins to commit SHAs rather than mutable tags. Pinning must be paired with active vulnerability monitoring (SCA, GitHub Dependabot, Renovate) so that patches still flow in, otherwise pinned applications grow stale and accumulate CVEs. Hash-pinning is a key control referenced by SLSA, NIST SSDF, OWASP, and reproducible-builds initiatives.
How do you defend against Dependency Pinning?
Defences for Dependency Pinning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Dependency Pinning?
Common alternative names include: Version pinning, Hash pinning.
● Related terms
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- appsec№ 304
Dependency Confusion Attack
A supply-chain attack in which an adversary publishes a malicious package on a public registry with the same name as an organization's internal dependency, tricking build tools into pulling the public version.
- appsec№ 971
SCA (Software Composition Analysis)
Automated analysis of an application's open-source and third-party components to identify known vulnerabilities, license issues and outdated or risky dependencies.
- appsec№ 921
Reproducible Builds
Build practices that ensure compiling the same source code with the same instructions produces a bit-for-bit identical artifact, regardless of when or where it is built.
- appsec№ 166
CI/CD Security
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.
- appsec№ 784
Package Signing
Applying a cryptographic signature to a software package so that consumers can verify the publisher's identity and that the artifact has not been altered after release.