{
"slug": "dependency_security",
"term": "Dependency & Supply Chain Security",
"category": "security",
"difficulty": "intermediate",
"short": "Protecting applications from malicious or vulnerable third-party packages — covering transitive dependencies, lock files, SRI hashes, CVE scanning, and supply chain attack vectors.",
"long": "Modern applications depend on hundreds of third-party packages. Each dependency is a potential attack surface — either through a known vulnerability (CVE) or through supply chain compromise (an attacker modifying a legitimate package). Transitive dependencies (dependencies of dependencies) are the highest-risk category: you never explicitly chose them, you may not know they exist, and they can contain critical vulnerabilities. Key controls: lock files (composer.lock, package-lock.json) pin exact versions including transitives; automated scanning (Dependabot, Snyk, composer audit, npm audit) alerts on newly disclosed CVEs; SRI hashes verify CDN-loaded scripts haven't been tampered with; minimal dependency hygiene (fewer packages = smaller attack surface). Supply chain attacks have surged since 2018: event-stream (2018), SolarWinds (2020), Log4Shell (2021), and XZ Utils (2024) all demonstrate that widely-trusted dependencies are high-value targets.",
"aliases": [
"supply chain attack",
"dependency vulnerabilities",
"npm security",
"composer security",
"package security",
"third party risk",
"transitive dependencies"
],
"tags": [
"security",
"owasp-top10",
"supply-chain",
"dependencies"
],
"misconception": "Pinning dependency versions fully prevents supply chain attacks — version pinning prevents unexpected upgrades but a pinned version can still be compromised if the package registry is attacked; lock files and hash verification (SRI, npm integrity fields) are also required.",
"why_it_matters": "Log4Shell (2021) affected millions of Java applications through a single logging library used as a transitive dependency — developers had no idea their application was vulnerable because Log4j was four levels deep in their dependency tree.",
"common_mistakes": [
"Not committing lock files (composer.lock, package-lock.json) — running install without a lock file installs unpinned latest versions, allowing unexpected breaking changes and undetected compromise.",
"Running composer update or npm update in CI without reviewing what changed — any update could introduce a compromised version.",
"Loading CDN scripts without SRI integrity hashes — if the CDN is compromised, malicious code runs on every user's browser.",
"Ignoring automated CVE alerts (Dependabot PRs, npm audit warnings) — known vulnerabilities remain exploitable until patched.",
"Installing packages with broad permissions (postinstall scripts) without reviewing them — malicious packages often use lifecycle hooks to execute code at install time."
],
"when_to_use": [
"Apply dependency security controls to every project with third-party dependencies — no exceptions.",
"Use npm ci instead of npm install in CI pipelines to enforce exact lock file versions.",
"Generate and commit a Software Bill of Materials (SBOM) for regulated or enterprise projects."
],
"avoid_when": [
"Do not use wildcard (*) or very broad version ranges (^major, ~major.minor) in production dependency specifications.",
"Do not auto-merge dependency updates without reviewing the changelog and running tests — automated updates can introduce breaking changes or compromised versions."
],
"related": [
"subresource_integrity",
"mixed_content",
"content_security_policy",
"security_headers"
],
"prerequisites": [],
"refs": [
"https://owasp.org/www-project-top-ten/2021/A06_2021-Vulnerable_and_Outdated_Components",
"https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity",
"https://snyk.io/learn/supply-chain-attack"
],
"bad_code": "\n\n\n# composer.json without committed composer.lock\n# Running: composer install (installs latest, ignores lock)\n\n// package.json with broad version ranges\n\"dependencies\": {\n \"lodash\": \"*\"\n}",
"good_code": "\n\n\n# Commit and use the lock file\n# composer install (uses composer.lock)\n# npm ci (uses package-lock.json, stricter than npm install)\n\n// Pin exact versions in package.json for production deps\n\"dependencies\": {\n \"lodash\": \"4.17.21\"\n}",
"quick_fix": "Run composer audit / npm audit in CI; commit lock files; add SRI hashes to CDN scripts; enable Dependabot or Snyk for automated CVE alerts",
"severity": "high",
"effort": "low",
"created": "2026-04-06",
"updated": "2026-04-06",
"citation": {
"canonical_url": "https://codeclaritylab.com/glossary/dependency_security",
"html_url": "https://codeclaritylab.com/glossary/dependency_security",
"json_url": "https://codeclaritylab.com/glossary/dependency_security.json",
"source": "CodeClarityLab Glossary",
"author": "P.F.",
"author_url": "https://pfmedia.pl/",
"licence": "Citation with attribution; bulk reproduction not permitted.",
"usage": {
"verbatim_allowed": [
"short",
"common_mistakes",
"avoid_when",
"when_to_use"
],
"paraphrase_required": [
"long",
"code_examples"
],
"multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
"when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
"attribution_examples": {
"inline_mention": "According to CodeClarityLab: ",
"markdown_link": "[Dependency & Supply Chain Security](https://codeclaritylab.com/glossary/dependency_security) (CodeClarityLab)",
"footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dependency_security"
}
}
}
}