Dependency Management: 3 Tips to Keep You Sane

Dependency Management

Managing dependencies is not for the faint of heart. For a single project, you may be able to keep up with dependencies on your own. For software codebases with hundreds of modules, however, even the most seasoned developer will quickly descend into dependency hell.

Don’t worry: dependency hell has happened to the best of us! There are a couple things you can do to keep yourself sane and improve application security. Read on for our three favorite tips.

Dependency Management Defined

First, let’s define some of the basic terminology.

A software dependency is an external standalone library that can be as small as a single file or as big as multiple files and folders organized into packages to perform a specific task. For example, if you created a messaging app and wanted to encrypt your messages, you could use an external package created by someone else for the encryption. Your messaging app now has a dependency — the encryption package — that it needs to run properly.

There are two types of dependencies:

  • Direct dependencies are the libraries referenced directly by your application.
  • Transitive dependencies are the libraries your dependencies are calling; on a basic level, they are a dependency of a dependency.

The NPM dependency network

The NPM dependency network with many direct and transitive dependencies. From: 

Dependency management is a technique for identifying, resolving, and patching dependencies in your application’s codebase.

dependency manager is a software module that helps integrate external libraries or packages into your larger application stack.

The Importance of Dependency Management

When it comes to dependency management, open source software has made things more complex. Built on the foundation of sharing and reusing code, open source software now accounts for 60-80% of all applications’ code base, which means more dependencies to manage.

So why do you need visibility into your dependencies anyway? Outdated dependencies can impact your software application in a number of ways:

  • Security. Some libraries have known vulnerabilities. If you’re not updating these libraries, your application is exposed and you may be passing this risk on to others.
  • Performance improvements. If your dependencies are outdated, you may be missing out on the latest enhancements that significantly improve performance or add new functionality.
  • Quality assurance. To keep your application running smoothly, you need to prevent problems such as conflicting or circular dependencies as well as keep up to date on libraries that have been end-of-lifed and bug fixes.
  • License compliance. With so many dependencies, it can be hard to keep track of all your open source licenses. Many organizations don’t understand all licenses need to be compatible with each other and that they are bound not just by the licenses of direct dependencies, but also by the licenses of every transitive dependency. By not fully understanding all your dependencies’ licenses, you put your own IP at risk.

Barriers to Adopting a Comprehensive Dependency Management Policy

recent study by CloudFlare showed that websites using outdated versions of JavaScript libraries almost never update them once they are installed, and this problem is not limited to JavaScript. With so much at risk, why would anyone fail to manage their dependencies?

Simple inertia is the main reason companies aren’t actively updating their dependencies. Your software is working fine, so it feels as if there’s little incentive to update it. With so many other priorities, dependency management often gets ignored.

Another reason outdated dependencies aren’t updated is due to a fear of breaking the build. Dependency management is hard, and applications depend on many libraries. You might have long chains of transitive dependencies or even circular dependencies. Updating one dependency may break another one further down the chain.

3 Tips for Managing Your Dependencies

Keeping your dependencies up to date is important, but this is far easier said than done. The really hard part of managing your dependencies is understanding which dependencies are vulnerable to security threats and which updates won’t break your code. With so many direct and transitive dependencies, this can be a challenge, but we have some tips to help you manage this process:

#1 Prioritize. Some dependencies are more important than others, so it is important to be able to prioritize them, particularly when it comes to vulnerabilities. You need to understand exactly which open source vulnerabilities are being accessed by your code and which vulnerabilities aren’t so that you can update your most critical dependencies first.

#2 Automate. Maintaining your dependencies can be extremely time sensitive when it comes to vulnerabilities and bug fixes. You can save time and reduce your exposure by automating dependency updates in your software projects and have your dependencies updated when new versions are released.

#3 Establish policies. Establishing a clear policy up front about open source usage and dependency management helps prevent headaches later in development when it is more costly to resolve them. Your policies act as a playbook by telling your development and security teams how to handle these threats in your open source components. Without policies to give clear guidance, managing dependencies efficiently tends to be extremely hard if not close to impossible.

Dependency Management Heaven

Now that you understand the challenges that come with dependency management, you probably have a lot of questions. The answer you’re searching for is dependency update automation. Dependency update automation helps you stay current and requires less time than an ad-hoc approach. It also gives you a number of advanced features like sorting by dependency or patch type and can even auto-merge pull requests if tests pass.

With data breaches more common and compliance top of mind, developers are more concerned about dependency management than ever before. You can stay out of dependency hell by creating a clear plan that prioritizes dependencies with vulnerabilities and handles updates automatically.

Developers and DevOps personnel have powerful new tools for dependency management available to them, which will help usher them to dependency heaven.

See Our Additional Guides on Key Application Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of application security.


Learn about static application security testing (SAST) tools, which help find and remediate vulnerabilities in source code. 


Learn about the software development lifecycle (SDLC) and how to integrate security into all stages of the SDLC.

Website Security

Authored by Imperva

Learn about how to defend critical websites and web applications against cyber threats.

Rhys Arkins / About Author

Rhys Arkins is Vice President of Product Management, responsible for developer solutions at Mend. He was the founder of Renovate Bot – an automated tool for software dependency updating, which was acquired by Mend in 2019. Rhys is particularly fond of automation and a firm believer in never sending humans to do a machine’s job.