Open Source Dependency Management and Supply Chains

A team playbook

Authors

Andrew Nesbitt

Ann Wells

Robert Castelo

Dan Sholler

Jonah Duckles

Beth Duckles

Published

November 20, 2025

In this document, we share insights discussed in the Chan-Zuckerberg Initiative’s Essential Open Source Software program community call held on November 20, 2025.

Introduction

Managing dependencies in open source projects is about people, processes, and culture and how your team brings these together for the benefit of your project. This playbook helps teams develop an approach to dependency management that works for them while balancing security, maintainability, and developer’s time.

Part 1: Building Your Team’s Dependency Culture

1.1 Establishing Shared Ownership

The Challenge: Dependencies often become “someone else’s problem” until they break something critical.

Action Items:

  • Designate rotating dependency champions (quarterly rotation)
  • Create a dedicated communication channel (#dependencies)
  • Add dependency review to your PR checklist
  • Develop strategies for removing or replacing dependencies where possible
  • Document who to contact for different dependency ecosystems

Team Discussion Prompts:

  • What dependency issues keep us up at night?
  • Which dependencies do we struggle with most?
  • What are we already doing well in our dependency management?

Part 2: Moving from Reactive to Proactive

2.1 The Dependency Maturity Model

Stage Characteristics Next Steps
Firefighting • Updates only when things break
• No visibility into dependencies
• Manual, ad-hoc processes		 Start tracking manually
Aware • Know what dependencies exist
• Some automated scanning
• Reactive to security alerts		 Implement basic automation
Managed • Regular update cycles
• Automated testing
• Clear ownership		 Develop update policies
Optimized • Proactive monitoring
• Dependency health metrics
• Upstream engagement		 Contribute back upstream

2.2 Essential Capabilities Checklist

Technical Prerequisites:

  • Automated testing suite
  • Lockfiles or similar reproducibility mechanisms
  • Dependency scanning in CI/CD
  • SBOM generation capability

Social Prerequisites:

  • Clear communication channels with upstream projects
  • Regular team discussions about dependencies
  • Documented escalation paths
  • Time allocated for dependency maintenance

Part 3: Practical Implementation Guide

3.1 Week 1-2: Discovery Phase

Inventory Your Dependencies:

  1. Generate a complete dependency tree
  2. Identify critical vs. nice-to-have dependencies
  3. Map dependencies to team members who understand them
  4. Note any dependencies without clear maintainers

Tools to Consider:

  • GitHub/GitLab dependency graphs
  • Ecosyste.ms for ecosystem-wide visibility
  • Language-specific tools (npm audit, pip-audit, etc.)

3.2 Week 3-4: Establish Baselines

Set Up Monitoring:

# Example: Monthly Dependency Review Checklist
- [ ] Run security scans
- [ ] Review automated PR success rates
- [ ] Check upstream project health
- [ ] Update team wiki/documentation
- [ ] Discuss any concerning trends

Configure Automation Thoughtfully:

  • Start with security-only updates
  • Limit update frequency (e.g., max 5 PRs/week)
  • Group related updates
  • Ensure CI/CD catches breaking changes

3.3 Week 5-6: Build Processes

Create Communication Workflows:

Establish Review Practices:

  • Add dependency impact to PR templates
  • Require justification for new dependencies
  • Consider “dependency cooldown” settings in dependency tools

Part 4: Advanced Strategies

4.1 Reducing Dependency Surface Area

The “Hedge Trimming” Approach:

  1. Audit current dependencies quarterly
  2. Identify barely-used dependencies
  3. Consider inlining simple utilities
  4. Make heavy dependencies optional
  5. Split packages to isolate dependency-heavy features

4.2 Upstream Engagement

Building Relationships:

  • Join upstream project communities
  • Contribute fixes back
  • Share your use cases
  • Participate in roadmap discussions

Early Warning Systems:

  • Subscribe to upstream release notes
  • Monitor deprecation notices
  • Track upstream issue trackers
  • Build relationships with maintainers

4.3 Container and Deployment Strategies

Reproducibility Approaches:

  • Use containers for consistent environments
  • Implement proper tagging strategies
  • Document system-level dependencies
  • Consider managed build systems (like Bioconductor’s)

Part 5: Keeping It Fresh

5.1 Regular Team Activities

Monthly Dependency Coffee Chat:

  • 30-minute informal discussion
  • Rotate who presents a “dependency of the month”
  • Share recent challenges and solutions
  • Celebrate successful updates

Quarterly Dependency Health Check:

  • Review policy effectiveness
  • Analyze automation metrics (e.g., % of automated PRs merged)
  • Identify process improvements
  • Plan for major updates

Resources and Further Reading

Essential Tools

Community Resources

  • Join #dependency-management in your language community
  • CHAOSS working groups
  • OpenSSF Best Practices Badge program

Remember: Good dependency management is a journey, not a destination. Start small, iterate often, and celebrate progress along the way.

This resource was generated as part of CZI’s EOSS Community Calls during late 2024 with Organizational Mycology facilitating discussions, gathering input, and generating the final document. Participants in the calls, and open comment periods are given co-authorship in alphabetical order by last name.

CZI’s Essential Open Source Software for Science Organizational Mycology