Dependency Security
5 min read Quiz at the end
Audit dependencies with pip-audit and npm audit, automate updates with Dependabot, generate SBOM.
Dependency and Supply Chain Security
# Software Composition Analysis (SCA)
# Python -- pip-audit
pip install pip-audit
pip-audit # checks all installed packages
pip-audit -r requirements.txt
# Node.js
npm audit
npm audit fix # auto-fix low-risk
npm audit --audit-level=high # fail CI on high severity
# GitHub Dependabot (automatic PRs for updates)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: pip
directory: /
schedule: {interval: weekly}
open-pull-requests-limit: 10
- package-ecosystem: npm
directory: /frontend
schedule: {interval: daily}
# SBOM (Software Bill of Materials)
cyclonedx-py -i requirements.txt -o sbom.json
# Lock files
# Always commit: requirements.txt, package-lock.json, composer.lock
# Pin exact versions in production
# Verify package integrity
pip install --require-hashes -r requirements.txt
# requirements.txt format:
requests==2.31.0
--hash=sha256:58cd2187423839c73893b09fd...
Topic Quiz · 1 questions
Test your understanding before moving on
1. Which tool automatically creates PRs to update vulnerable dependencies?
💡 GitHub Dependabot monitors dependencies and automatically opens pull requests for security updates.