Dependency Management
Purpose
Section titled “Purpose”Dependencies accelerate delivery but expand the attack surface and maintenance burden.
Nexa context
Section titled “Nexa context”Nexa uses npm, Python packages, container base images, GitHub Actions, Terraform providers, Helm charts, and cloud SDKs. All are supply-chain dependencies.
Standard
Section titled “Standard”-
MUST: Commit lock files and use deterministic install commands such as
npm cianduv sync --locked. -
MUST: Python projects use uv and commit
uv.lock. Poetry and requirements-file projects require a time-boxed migration exception. -
MUST: Add a dependency only when its benefit exceeds the operational and security cost.
-
MUST: Remove unused dependencies.
-
MUST: Review license, maintenance activity, vulnerability history, and transitive footprint for material additions.
-
MUST: Enable automated update PRs for package ecosystems, Docker, and GitHub Actions.
-
MUST: Do not merge major upgrades without targeted regression evidence.
-
SHOULD: Group low-risk patch updates.
-
SHOULD: Schedule regular dependency maintenance instead of waiting for emergency CVEs.
-
SHOULD: Pin critical build dependencies and GitHub Actions to approved versions or SHAs.
Working model
Section titled “Working model”Dependabot or an approved equivalent proposes updates. CI validates quality and vulnerability impact. Owners review breaking changes and runtime compatibility before merge.
Evidence of compliance
Section titled “Evidence of compliance”Compliance is demonstrated through repository configuration, protected-branch settings, CI results, and review records. Teams should be able to show the evidence without reconstructing it manually.
Common failure modes
Section titled “Common failure modes”Common failures include broad version ranges, regenerated lock files with unrelated changes, duplicated libraries, abandoned packages, and dismissing vulnerabilities without confirming reachability or compensating controls.
Maturity path
Section titled “Maturity path”The initial standard favors consistency and auditable automation. Exceptions and advanced controls are introduced only after the baseline is adopted across repositories.