Lockfile Changed Without Source Review
Fires when a diff contains only lockfile changes with no accompanying source-file edits, which can hide malicious dependency upgrades.
Why this rule exists
Pure lockfile PRs hide the actual supply chain change behind a one-line summary. Reviewers see the bot, click approve, and never read the transitive dependency graph that just shifted under them.
Code example
packages.lock.json | 200 +++++++++++++++++++++++++++
// no other files touched, no release notes linked packages.lock.json | 200 +++++++++++++++++++++++++++
+ docs/upgrades/2026-04-someLib.md // upgrade rationale, CHANGELOG link, manual smoke notesConfiguration
Disable or adjust the severity of this rule in .gauntletci.json:
{
"rules": {
"GCI0053": { "enabled": true, "severity": "Warn" }
}
}See Configuration for the full schema.
Related rules
Dependency Bot API Drift
Fires when a dependency bot PR (Dependabot, Renovate, Snyk) contains both a lockfile change and a public API method signature change in C# files.
Hardcoding and Configuration
Detects hardcoded IPs, URLs, connection strings, secrets, and environment names committed to source.
Implemented in src/GauntletCI.Core/Rules/Implementations/GCI0053_*.cs.
Eric Cogen -- Founder, GauntletCI
Twenty years as a senior technical consultant building and modernizing enterprise platforms across .NET, AWS, serverless, microservices, and AI-driven systems.