Session: Dependency management: the cause of—and solution to—all supply chain problems
How many dependencies does your software project have?
The answer is more complicated than simply looking at your requirements.txt or package.json file.
And as to how many you’ll have tomorrow? It turns out that if there’s anything you can say about your dependencies – it’s that “it depends”.
Most software is built with hundreds if not thousands of direct and transitive dependencies, and those dependencies change every day. Our analysis shows that up to 20% of PyPI packages change their dependency graphs multiple times per week. Ensuring that each one of these dependencies is trustworthy is a daunting task.
In this talk, we’ll compare the decisions that determine not just your dependency graph but also the vulnerabilities that might lurk in it, and for how long. We’ll look at what makes some vulnerabilities like log4shell so hard (and slow!) to fix across an ecosystem, dig into the complexities of dependency resolution algorithms (anyone want to solve a sudoku?), and recommend tools that can make practical dependency management possible if not easy.
