← Lessons

quiz vs the machine

Platinum1760

Security

Dependency And Supply Chain Hygiene

Why the code you did not write can still compromise you and how to manage it.

6 min read · advanced · beat Platinum to climb

The Risk

Modern apps pull in many third party packages, which pull in more. A vulnerability or a malicious update anywhere in that tree runs with your application privileges. Attacks include a compromised maintainer account, a typosquatted package with a name close to a real one, and a build pipeline that injects code. This is supply chain risk, and it bypasses your own code review entirely.

The danger is trusting that every transitive dependency is benign and unchanged.

The Defense

  • Pin versions and commit a lock file so builds are reproducible and updates are deliberate.
  • Verify integrity with hashes so a tampered artifact is rejected.
  • Run dependency scanning to flag known vulnerable versions and update on a schedule.
  • Maintain a software bill of materials so you know what you ship and can respond fast when a flaw appears.
  • Limit what a build can do and review additions to the dependency tree.

Key idea

Pin and verify dependencies, scan them continuously, and track a bill of materials so a compromised package cannot silently enter your build.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is supply chain risk dangerous?

2. What does a lock file with hashes provide?

3. Why keep a software bill of materials?