Night Mode LabsBlue Book
Delivery

Dependency Management

Dependency management keeps applications patchable, reproducible, and understandable. It includes open-source packages, base images, build tools, actions, modules, and third-party services.

Dependency inventory

Track:

  • Runtime dependencies.
  • Development and build dependencies.
  • Container base images.
  • CI/CD actions and reusable workflows.
  • Infrastructure modules and providers.
  • Third-party APIs and SaaS dependencies.

Update strategy

  • Use automated dependency update tooling.
  • Group low-risk patch updates where practical.
  • Test lockfile changes in CI.
  • Prioritize security updates by exploitability and exposure.
  • Pin versions for reproducibility.
  • Define ownership for ignored or deferred updates.

Supply chain controls

Important controls include:

  • Trusted registries and package sources.
  • Lockfiles and checksum verification.
  • SBOM generation for important artifacts.
  • Vulnerability scanning.
  • Artifact signing and provenance for high-risk systems.
  • Review rules for new dependencies.

Dependency review

Review new dependencies for:

  • Maintenance activity.
  • License compatibility.
  • Transitive dependency risk.
  • Package size and runtime impact.
  • Security history.
  • Whether the dependency replaces simple code.

Watchouts

  • Unpinned actions and base images can change without review.
  • Ignored vulnerability alerts become background noise.
  • Internal shared libraries can create coordinated release bottlenecks.
  • Vendored code still needs ownership and patching.

Feature Flag Management

Previous Page

API-to-SDK Regeneration with GitHub Actions

Create bot-authored SDK regeneration pull requests from API changes.

On this page

Dependency inventoryUpdate strategySupply chain controlsDependency reviewWatchouts