Intermediate Application & Code Updated on Jun 25, 2025

Dependency management and CVE — lock files, SCA, patch policy

Most modern applications depend on hundreds of third-party packages. Every package is a potential attack surface. Software supply chain attacks have become one of the leading threats: compromising a popular library affects everyone who uses it.

The Problem with Dependencies

Your app
  └── lib-A v2.3.1
        └── lib-B v1.0.0  ← CVE-2024-1234 (critical RCE)
              └── lib-C v4.2.0

You may not even know lib-B exists. SCA (Software Composition Analysis) maps the entire dependency tree.

Lock Files — Why They Are Essential

Lock files (package-lock.json, poetry.lock, go.sum, Cargo.lock) record the exact version of every dependency — including transitive ones. Without them, npm install or pip install may pull different versions across different environments.

Rules:

Always commit the lock file to the repository.
Never ignore or manually delete the lock file.
In production, use the equivalent of --frozen-lockfile or --ci to prevent implicit upgrades.

# npm — install exactly what is in the lock file
npm ci

# pip — using pip-tools to generate a pinned requirements.txt
pip-compile requirements.in  # generates requirements.txt with exact versions
pip install -r requirements.txt

# Go — go.sum already guarantees integrity
go mod download

SCA — Software Composition Analysis

SCA checks your dependencies against CVE databases and alerts when a known vulnerability is found.

Tools

Tool	Ecosystem	Integration
`npm audit`	Node.js	Native CLI
`pip-audit`	Python	OSS CLI
`bundle audit`	Ruby	OSS CLI
Dependabot	Multi-lang	Native GitHub
Snyk	Multi-lang	CI/CD, IDE
OWASP Dependency-Check	Multi-lang	OSS CI/CD

# npm — simple audit
npm audit

# Output
# high    Prototype Pollution in lodash
# Package  lodash
# Patched  >=4.17.21

# pip-audit
pip-audit

# found 1 vulnerability in 47 packages
# Name         Version  ID              Fix Versions
# pillow       9.0.0    PYSEC-2023-175  9.3.0

Dependabot on GitHub

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

Dependabot opens automated PRs with the updates. CI runs the tests and you review before merging.

CVE — What It Is and How to Prioritize

CVE (Common Vulnerabilities and Exposures) is the standard identifier for vulnerabilities. Each CVE has a CVSS score (0–10) indicating severity.

CVSS	Severity	Action
9.0–10.0	Critical	Immediate patch (<24h)
7.0–8.9	High	Patch within days
4.0–6.9	Medium	Current sprint
0.1–3.9	Low	Backlog

Also consider context: an RCE CVE in a library that only runs in an offline CLI has less impact than one in a public-facing API.

Patch Policy

Define and document:

Audit frequency — minimum automated weekly.
SLA by severity — CRITICAL in 24h, HIGH in 7 days, MEDIUM in 30 days.
Approval process — dependency PRs go through the full CI pipeline.
Version pinning — prefer >=X.Y.Z,<X+1 over * or latest.
Dependency inventory — maintain an SBOM (Software Bill of Materials) for audits.

Supply Chain Attacks

Watch out for:

Typosquatting — package reqests (missing ‘u’) instead of requests.
Dependency confusion — an internal package name matching a public one.
Maintainer compromise — a legitimate package with newly injected malicious code.

Mitigations: verify hash checksums, use a private scoped registry, monitor changelogs on upgrades.