Introduction
Dependency management is critical for maintaining secure and stable software. In 2026, supply chain attacks are increasingly common, and keeping dependencies up-to-date while managing breaking changes requires systematic approaches. This guide covers dependency management strategies, security practices, and automation tools.
Dependencies are external code packages your project relies on. Poor dependency management leads to security vulnerabilities, maintenance nightmares, and deployment failures.
Dependency Strategy
The Dependency Tree
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Dependency Tree โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Your App โ
โ โ โ
โ โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโ โ
โ โผ โผ โผ โ
โ framework database utils โ
โ โ โ โ โ
โ โโโโโดโโโโ โโโโโดโโโโ โโโโโดโโโโ โ
โ โ โ โ โ โ โ โ
โ core โ driver โ helper โ โ
โ โ โ โ โ
โ โโโโโดโโโโ โโโโโดโโโโ โโโโโดโโโโ โ
โ โopensslโ โpooler โ โlogger โ โ
โ โโโโโโโโโ โโโโโโโโโ โโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Pinning Versions
// package.json - NPM
{
"dependencies": {
"express": "4.18.2",
"lodash": "^4.17.21",
"axios": "~1.6.0",
"debug": "*"
}
}
# requirements.txt - Python
# Exact versions
requests==2.31.0
flask==3.0.0
# Compatible releases
pydantic>=2.0.0,<3.0.0
# Minimum version
numpy>=1.24.0
| Pinning Strategy | Use Case |
|---|---|
| Exact (4.18.2) | Production, stable releases |
| Caret (^4.18.0) | Minor updates OK |
| Tilde (~1.6.0) | Patch updates OK |
| Range (>1.0.0) | Avoid in production |
| Asterisk (*) | Never in production |
Security Scanning
npm audit
# Check for vulnerabilities
npm audit
# Audit with JSON output
npm audit --json
# Audit production dependencies only
npm audit --production
# Fix vulnerabilities automatically
npm audit fix
# Fix only security issues
npm audit fix --force
Snyk
# .snyk policy
# snyk.yaml
version: v1
language: npm
metadata:
name: my-app
version: 1.0.0
exclude:
- '**/node_modules/**'
- '**/*.spec.ts'
# Snyk commands
snyk auth
snyk test
snyk monitor
snyk protect
Dependabot
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
reviewers:
- team/frontend
labels:
- dependencies
- npm
- package-ecosystem: pip
directory: /
schedule:
interval: weekly
versioning-strategy: increase
SBOM (Software Bill of Materials)
Generating SBOM
# CycloneDX SBOM
npm install @cyclonedx/bom
cyclonedx-bom -o bom.xml
# SPDX format
npm install @spdx/tools
spdx license-to-json > licenses.json
SBOM Formats
<!-- CycloneDX XML -->
<bom version="1">
<components>
<component type="library">
<name>express</name>
<version>4.18.2</version>
<purl>pkg:npm/[email protected]</purl>
<hashes>
<hash alg="SHA-256">a2b...</hash>
</hashes>
</component>
</components>
</bom>
Automated Updates
Renovate Bot
// renovate.json
{
"extends": [
"config:base",
"group:all",
"schedule:weekly"
],
"packageRules": [
{
"matchPackagePatterns": ["*"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"matchPackagePatterns": ["major"],
"automerge": false
}
]
}
Greenkeeper
# Greenkeeper setup
npm install --save-dev greenkeeper
greenkeeper enable
# Configure
greenkeeper config set prTimeout 1209600000
Dependency Cleanup
Finding Unused Dependencies
# npm
npm install -g depcheck
depcheck
# Python
pip install pipreqs
pipreqs /path/to/project
# Go
go mod tidy
go list -m all
go build
Pruning
# Remove unused dependencies
npm prune
# Remove development dependencies from production
npm install --production
# Clean node_modules
rm -rf node_modules
npm ci
Monorepo Dependencies
workspaces
{
"name": "my-monorepo",
"workspaces": [
"packages/*"
],
"private": true
}
Lerna
{
"version": "1.0.0",
"packages": ["packages/*"],
"npmClient": "yarn",
"useWorkspaces": true,
"command": {
"publish": {
"ignoreChanges": ["*.md", "test/**"]
},
"bootstrap": {
"ignore": "component-*"
}
}
}
Lock Files
Why Lock Files Matter
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Lock File Benefits โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โ Reproducible builds โ
โ โ Deterministic deployments โ
โ โ Security auditing โ
โ โ Faster installs โ
โ โ Conflict resolution โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Committing Lock Files
# .gitignore adjustments
# Keep lock files
!package-lock.json
!yarn.lock
!Pipfile.lock
!Gemfile.lock
# Python - keep requirements.txt frozen
pip freeze > requirements.txt
# But also commit lock files
# package-lock.json - commit
# Pipfile.lock - commit
Best Practices
- Audit regularly: Run security scans weekly
- Automate updates: Use Dependabot or Renovate
- Pin production versions: Use exact or caret
- Remove unused deps: Clean up regularly
- Commit lock files: Ensure reproducibility
- Use SBOM: Track component provenance
- Monitor vulnerabilities: Subscribe to alerts
Conclusion
Effective dependency management is essential for security and stability. Implement automated scanning, regular updates, and careful version pinning to maintain healthy dependency trees. In 2026, supply chain security is more important than ever.
Comments