From ac88f40080ad5888c522cbb51502077a4ec023c4 Mon Sep 17 00:00:00 2001
From: Mark Stacey <markjstacey@gmail.com>
Date: Tue, 6 Jan 2026 17:20:43 -0330
Subject: [PATCH] feat: Add guidance about `npx`/`yarn dlx`

The secure coding guidelines have been updated to ask contributors not
to use `npx` and `yarn dlx`, because they don't update the lockfile and
leave us more vulnerable to supply-chain attacks.
---
 docs/secure-coding-guidelines.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/secure-coding-guidelines.md b/docs/secure-coding-guidelines.md
index 687cc75e..11b8e9e3 100644
--- a/docs/secure-coding-guidelines.md
+++ b/docs/secure-coding-guidelines.md
@@ -121,7 +121,9 @@ The guidelines in this policy were gathered primarily from the [OWASP Top 10](ht
 
 #### Dependency Integrity
 
-- Use a lockfile or pinned dependencies to maintain control over which version of each dependency is used
+- Use a lockfile to maintain control over which version of each dependency is used
+- Do not use `npx` or `yarn dlx`
+  - These commands do not update the lockfile, so we have no control over which versions are installed. This leaves us vulnerable to supply-chain attacks.
 
 #### Avoid Deprecated and Unmaintained Packages