FOSSA Logo
D
General Concepts
Package Management

Dependency

External software packages or components that a project uses or relies on to function properly.

What is a Dependency?

A dependency is an external software component, library, package, or module that a software project incorporates and relies on to function correctly. Instead of building all functionality from scratch, developers use dependencies to leverage existing, tested code for specific features or capabilities. Dependencies can range from small utility libraries to large frameworks that provide core application functionality.

Types of Dependencies

  1. Direct Dependencies - Packages that are explicitly imported or included in the project's source code or declared in package manifests

  2. Transitive Dependencies - Secondary dependencies that are required by direct dependencies but not explicitly declared in the project

  3. Development Dependencies - Used only during development and building (testing frameworks, linters, bundlers) but not needed in production

  4. Runtime Dependencies - Required for the application to run in production environments

  5. Peer Dependencies - Dependencies that the package expects to be provided by the consumer of the package

Dependency Management Challenges

Security Vulnerabilities

Every dependency potentially introduces security vulnerabilities. A single vulnerability in one package can affect thousands of dependent projects, as demonstrated by high-profile incidents like the Log4Shell vulnerability.

Version Compatibility

Different versions of dependencies may conflict with each other, leading to "dependency hell"—situations where satisfying all version constraints becomes difficult or impossible.

Dependency Drift

As dependencies are updated, an application may gradually drift away from its original tested state, potentially introducing bugs or security issues.

Supply Chain Risks

Dependencies represent a supply chain risk, as malicious actors can compromise widely-used packages to distribute malware.

Best Practices for Dependency Management

  • Maintain an SBOM (Software Bill of Materials) to track all dependencies
  • Regularly update dependencies to include security patches
  • Pin specific versions of dependencies to ensure reproducible builds
  • Use lockfiles to freeze exact dependency versions
  • Set up automated vulnerability scanning in your CI/CD pipeline
  • Vet dependencies before adding them to your project
  • Minimize the number of dependencies to reduce attack surface
  • Use dependency proxies or private repositories to mitigate supply chain attacks

Related Terms

Dependency Confusion

A software supply chain attack where malicious packages with the same name as internal dependencies are published to public repositories, tricking build systems into using the malicious version.

Package Manager

A tool that automates the process of installing, upgrading, configuring, and removing software dependencies in a consistent manner.

Transitive Dependency

A dependency that is not directly imported by a project but is required by one of the project's direct dependencies.