Practice : Dependency Management Policies

Purpose and Strategic Importance

Dependency Management Policies provide clear guidance and automation around the use, update, and monitoring of third-party libraries. They reduce security, licensing, and stability risks while enabling teams to move fast with confidence.

By codifying expectations and aligning practices across teams, organisations can maintain secure, maintainable, and compliant software ecosystems - and prevent supply chain vulnerabilities from becoming production incidents.

Description of the Practice

  • Policies govern which dependencies are allowed, how they are tracked, when they are updated, and how risk is managed.
  • Policies are enforced through tooling (e.g. SCA, CI rules, policy-as-code) and supported with education and dashboards.
  • Common controls include version pinning, license restrictions, CVSS score thresholds, update cadences, and review gates.
  • Examples: “No dependencies with critical CVEs”, “Patch-level updates auto-approved weekly”, “GPLv3 not permitted”.

How to Practise It (Playbook)

1. Getting Started

  • Define a baseline policy that aligns with your risk appetite and compliance needs.
  • Document rules for what is allowed, what is blocked, and what requires review.
  • Use dependency analysis tools to audit existing projects and highlight outliers.
  • Automate alerts for new vulnerabilities or license violations in your pipelines.

2. Scaling and Maturing

  • Introduce policy-as-code tooling (e.g. OPA, Renovate, Snyk, GitHub Advanced Security).
  • Implement automated update workflows for low-risk upgrades (e.g. patch versions).
  • Require manual review for high-impact or risky changes (e.g. major version bumps).
  • Track policy adherence metrics and include them in engineering dashboards.
  • Align policies with broader supply chain security initiatives and SBOM strategies.

3. Team Behaviours to Encourage

  • Treat dependencies as part of your system - not just someone else’s code.
  • Review dependency changes with the same scrutiny as application code.
  • Stay curious - investigate what each library does and its maintenance signals.
  • Share policy rationale openly and invite improvement feedback.

4. Watch Out For…

  • Blanket bans that block productivity without alternatives or clear reasoning.
  • Drift between policy and practice due to lack of tooling or visibility.
  • Dependency sprawl - unmanaged growth in redundant or outdated libraries.
  • Security findings ignored due to alert fatigue or unclear ownership.

5. Signals of Success

  • Teams understand and follow dependency usage policies with ease.
  • Risk is reduced without slowing down development.
  • Updates are regular, predictable, and automated where safe.
  • Vulnerabilities and license issues are caught before reaching production.
  • Engineering and security teams collaborate on policy evolution.