Skip to content

Dependency Management

Dependencies accelerate delivery but expand the attack surface and maintenance burden.

Nexa uses npm, Python packages, container base images, GitHub Actions, Terraform providers, Helm charts, and cloud SDKs. All are supply-chain dependencies.

  • MUST: Commit lock files and use deterministic install commands such as npm ci and uv sync --locked.

  • MUST: Python projects use uv and commit uv.lock. Poetry and requirements-file projects require a time-boxed migration exception.

  • MUST: Add a dependency only when its benefit exceeds the operational and security cost.

  • MUST: Remove unused dependencies.

  • MUST: Review license, maintenance activity, vulnerability history, and transitive footprint for material additions.

  • MUST: Enable automated update PRs for package ecosystems, Docker, and GitHub Actions.

  • MUST: Do not merge major upgrades without targeted regression evidence.

  • SHOULD: Group low-risk patch updates.

  • SHOULD: Schedule regular dependency maintenance instead of waiting for emergency CVEs.

  • SHOULD: Pin critical build dependencies and GitHub Actions to approved versions or SHAs.

Dependabot or an approved equivalent proposes updates. CI validates quality and vulnerability impact. Owners review breaking changes and runtime compatibility before merge.

Compliance is demonstrated through repository configuration, protected-branch settings, CI results, and review records. Teams should be able to show the evidence without reconstructing it manually.

Common failures include broad version ranges, regenerated lock files with unrelated changes, duplicated libraries, abandoned packages, and dismissing vulnerabilities without confirming reachability or compensating controls.

The initial standard favors consistency and auditable automation. Exceptions and advanced controls are introduced only after the baseline is adopted across repositories.