Dependency Security
Modern applications are mostly other people's code. A typical web application might have hundreds of dependencies, each potentially containing vulnerabilities. Your own code might be secure, but one compromised package can expose everything.
Understanding the Risk
When you install a package, you're also installing everything it depends on — these transitive dependencies multiply quickly. A single npm install might add thousands of packages to your project, each written by different developers with varying security practices.
Known vulnerabilities in popular packages get catalogued in databases like the National Vulnerability Database (NVD). Attackers actively scan for applications using vulnerable versions.
Auditing Your Dependencies
Every major package manager includes audit tools:
# npm - JavaScript/Node.js
npm audit
npm audit fix # Automatically update safe fixes
# pip - Python
pip-audit
# Or use safety
safety check -r requirements.txt
These tools compare your installed packages against vulnerability databases and report issues with severity ratings.
GitHub's Dependabot automatically monitors your repositories and creates pull requests when vulnerabilities are discovered. Enable it in your repository settings — it's free and catches issues you might miss.
Supply Chain Attacks
Beyond known vulnerabilities, supply chain attacks target the software distribution process itself:
Typosquatting creates malicious packages with names similar to popular ones. A developer typing npm install lodahs instead of lodash might install malware.
Compromised maintainers happen when attackers gain access to legitimate package maintainer accounts and push malicious updates.
Malicious updates can appear in previously trustworthy packages if maintainers are compromised or sell their packages.
Protecting Yourself
Use lock files like package-lock.json or requirements.txt with pinned versions. These ensure everyone installs exactly the same versions, preventing surprise updates.
# Generate a locked requirements file in Python
pip freeze > requirements.txt
Review dependency changes in pull requests. When a package updates, check what changed before merging.
Choose dependencies carefully. Prefer well-maintained packages with active communities, clear security policies, and minimal dependencies of their own.
Pin versions in production. Use exact versions rather than ranges like ^1.0.0 that automatically accept updates.
Run pre-commit hooks to catch accidentally committed secrets or suspicious package additions before they reach your repository.
The goal isn't zero dependencies — that's impractical. It's understanding what you're importing and staying informed when problems arise.