Python Pyproject Missing Package Lock
Description
Detects missing or incomplete lock files for Python projects using Poetry or UV package managers. Lock files are critical for dependency security as they ensure consistent, vetted dependencies are used across deployments. Without proper lock files, projects may be vulnerable to supply chain attacks or dependency confusion.
Detection Strategy
• Checks if a pyproject.toml file contains Poetry configuration but missing poetry.lock file
• For UV projects, verifies existence of uv.lock file in the project or workspace root directory
• For UV workspaces, validates that the package is properly listed in the workspace members
• Reports a vulnerability if required lock files are missing or if package is not properly tracked in UV lock file
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.