Dependency Management and Supply Chain Security

Lock files, vulnerability scanning, SBOM, and keeping dependencies up to date.

Updated March 29, 2026 0 views

Lock files are mandatory

Always commit lock files (package-lock.json, Pipfile.lock, composer.lock, go.sum). They pin exact transitive dependency versions and ensure reproducible builds. Without a lock file, npm install today may produce a different dependency tree than tomorrow.

Automated vulnerability scanning

Dependabot — GitHub-native. Opens PRs for vulnerable and outdated dependencies automatically.
Snyk — deeper analysis, license compliance, container scanning.
Trivy — scans container images and file systems for vulnerabilities in CI.

Keeping dependencies current

Enable Dependabot or Renovate for automated update PRs. Review and merge weekly. The longer you wait, the larger the update delta and the harder the merge.

Software Bill of Materials (SBOM)

An SBOM is a machine-readable list of all components and their versions. Required by US government contracts (Executive Order 14028) and increasingly by enterprise customers. Generate with: syft (Anchore), cdxgen, or built into GitHub Actions.

Typosquatting defence

Verify package names carefully before installing. requsets is not requests. Use private registries with an allow-list for production builds.

Dependency Management and Supply Chain Security

Lock files are mandatory

Automated vulnerability scanning

Keeping dependencies current

Software Bill of Materials (SBOM)

Typosquatting defence

Related articles

Observability — Logs, Metrics, and Traces

CI/CD Pipeline Design — From Commit to Production

Resilience Patterns — Circuit Breaker, Retry, Bulkhead, and Timeout

REST API Versioning Strategies