Fifteen Guidelines for Ensuring a Healthy Software Supply Chain – Dependency Management (Part 2)

Building on the first part that introduced the fifteen principles of dependency management, this second article details the full set of guidelines, divided into pre‑inclusion checks (nine items) and post‑use practices (six items).

Pre‑inclusion checks include:

Design review: verify clear documentation and API design, and check for compatibility notes.

Code quality: read source code, assess author diligence, and use compiler warnings such as -Wall for C/C++.

Automated testing: ensure the package provides runnable test cases and that they pass.

Debugging & maintenance: examine issue trackers for open bugs, their age, and activity levels.

Usage popularity: look at how many other packages depend on it (e.g., PCRE , Boost , JUnit ).

Security: confirm the package handles untrusted input safely and is not listed in vulnerability databases (e.g., NVD).

License compliance: verify the license exists and is compatible with your project.

Transitive dependencies: inspect the dependency’s own dependencies to avoid hidden risk.

Indirect risk examples: the left-pad removal incident and the event-stream supply‑chain attack illustrate why indirect deps matter.

Post‑use guidelines cover:

Encapsulation: define a thin interface that wraps the external library, exposing only needed functionality.

Isolation: run dependencies in sandboxed processes (e.g., Chrome extensions, gVisor) to limit crash impact.

Avoid risky deps: if a package cannot be isolated and poses high risk, consider dropping it.

Update strategy: balance upgrade cost against security risk, monitor bug‑fix releases, and test before deploying.

Monitoring: continuously verify the exact version and hash of each dependency, watch for new indirect deps, and re‑run both your tests and the package’s own tests after upgrades.

Timing of reviews: regularly reassess dependencies, especially those with a history of vulnerabilities (e.g., Apache Struts).

The article concludes with three actionable recommendations: raise awareness of the problem, establish best‑practice processes for dependency evaluation and risk mitigation, and develop future‑oriented tooling to lower the cost of managing dependencies.