CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Dependency & Supply Chain Security

security CWE-1357 OWASP A6:2021 Intermediate

Also Known As

supply chain attack dependency vulnerabilities npm security composer security package security third party risk transitive dependencies

TL;DR

Protecting applications from malicious or vulnerable third-party packages — covering transitive dependencies, lock files, SRI hashes, CVE scanning, and supply chain attack vectors.

Explanation

Modern applications depend on hundreds of third-party packages. Each dependency is a potential attack surface — either through a known vulnerability (CVE) or through supply chain compromise (an attacker modifying a legitimate package). Transitive dependencies (dependencies of dependencies) are the highest-risk category: you never explicitly chose them, you may not know they exist, and they can contain critical vulnerabilities. Key controls: lock files (composer.lock, package-lock.json) pin exact versions including transitives; automated scanning (Dependabot, Snyk, composer audit, npm audit) alerts on newly disclosed CVEs; SRI hashes verify CDN-loaded scripts haven't been tampered with; minimal dependency hygiene (fewer packages = smaller attack surface). Supply chain attacks have surged since 2018: event-stream (2018), SolarWinds (2020), Log4Shell (2021), and XZ Utils (2024) all demonstrate that widely-trusted dependencies are high-value targets.

Common Misconception

Pinning dependency versions fully prevents supply chain attacks — version pinning prevents unexpected upgrades but a pinned version can still be compromised if the package registry is attacked; lock files and hash verification (SRI, npm integrity fields) are also required.

Why It Matters

Log4Shell (2021) affected millions of Java applications through a single logging library used as a transitive dependency — developers had no idea their application was vulnerable because Log4j was four levels deep in their dependency tree.

Common Mistakes

  • Not committing lock files (composer.lock, package-lock.json) — running install without a lock file installs unpinned latest versions, allowing unexpected breaking changes and undetected compromise.
  • Running composer update or npm update in CI without reviewing what changed — any update could introduce a compromised version.
  • Loading CDN scripts without SRI integrity hashes — if the CDN is compromised, malicious code runs on every user's browser.
  • Ignoring automated CVE alerts (Dependabot PRs, npm audit warnings) — known vulnerabilities remain exploitable until patched.
  • Installing packages with broad permissions (postinstall scripts) without reviewing them — malicious packages often use lifecycle hooks to execute code at install time.

Avoid When

  • Do not use wildcard (*) or very broad version ranges (^major, ~major.minor) in production dependency specifications.
  • Do not auto-merge dependency updates without reviewing the changelog and running tests — automated updates can introduce breaking changes or compromised versions.

When To Use

  • Apply dependency security controls to every project with third-party dependencies — no exceptions.
  • Use npm ci instead of npm install in CI pipelines to enforce exact lock file versions.
  • Generate and commit a Software Bill of Materials (SBOM) for regulated or enterprise projects.

Code Examples

✗ Vulnerable 
<!-- CDN script with no integrity check -->
<script src="https://cdn.example.com/library.js"></script>

# composer.json without committed composer.lock
# Running: composer install (installs latest, ignores lock)

// package.json with broad version ranges
"dependencies": {
  "lodash": "*"
}
✓ Fixed 
<!-- CDN script with SRI hash -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js"
  integrity="sha384-1H217gwSVyLSIfaLxHbE7dRb3v4mYCKbpQvzx0cegeju1MVsGrX5xXxAvs/HgeFs"
  crossorigin="anonymous"></script>

# Commit and use the lock file
# composer install (uses composer.lock)
# npm ci (uses package-lock.json, stricter than npm install)

// Pin exact versions in package.json for production deps
"dependencies": {
  "lodash": "4.17.21"
}
Added 6 Apr 2026
Views 13

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 1 ping S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T
Agents 0
No pings yet today
SEMrush 3 Google 2 ChatGPT 1 Perplexity 1 Unknown AI 1 Ahrefs 1
Also referenced
Content Security Policy (CSP) 26 HTTP Security Headers 25 Subresource Integrity (SRI) 16 Mixed Content (HTTP on HTTPS) 8
How they use it
crawler 8 crawler_json 1
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Run composer audit / npm audit in CI; commit lock files; add SRI hashes to CDN scripts; enable Dependabot or Snyk for automated CVE alerts
📦 Applies To
any web cli queue-worker
🔍 Detection Hints
CDN <script> without integrity attribute; missing lock file; unlocked version ranges in composer.json/package.json
Auto-detectable: ✓ Yes dependabot snyk composer-audit npm-audit socket-dev
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: File Tests: Update
CWE-1357 CWE-829 CWE-494
✓ schema.org compliant