Dependencies
Dependencies are supply-chain surface area: versions affect security, reproducibility, and upgrade cost.
When to Offer This Workflow
Trigger conditions:
- - Dependabot noise; major version upgrades
- CVE response or license audit
- “Works on my machine” due to unpinned dependencies
Initial offer:
Use six stages: (1) inventory & risk, (2) policy & cadence, (3) lockfiles & reproducibility, (4) upgrades & testing, (5) security & licensing, (6) governance & tooling). Confirm ecosystem (npm, pip, Maven, Go modules, etc.).
Stage 1: Inventory & Risk
Goal: Direct vs transitive dependencies; flag critical packages (crypto, auth, parsing, serialization).
Exit condition: SBOM or export for top applications; list of critical deps.
Stage 2: Policy & Cadence
Goal: When to upgrade (time-based vs on-demand); SemVer rules for libraries vs applications.
Stage 3: Lockfiles & Reproducibility
Goal: Committed lockfiles for deployable apps; libraries test against a compatibility matrix instead of one frozen lock.
Stage 4: Upgrades & Testing
Goal: Prefer one major bump per PR when feasible; CI matrix on supported language/runtime versions.
Stage 5: Security & Licensing
Goal: SCA scanning; patch SLA by severity; license allowlist for compliance.
Stage 6: Governance & Tooling
Goal: Renovate/Bot policies; pin internal packages; document exceptions and overrides.
Final Review Checklist
- - [ ] Inventory and risk hotspots known
- [ ] Upgrade cadence and semver policy documented
- [ ] Lockfiles or matrix strategy per repo type
- [ ] CI validates upgrades
- [ ] SCA and license policy enforced
Tips for Effective Guidance
- - Transitive CVEs may need overrides—trace the dependency graph.
- Pin CI images and toolchains, not only application dependencies.
Handling Deviations
- - Monorepos: shared versions with Nx/Bazel/etc.—coordinate breaking upgrades.
依赖项
依赖项是供应链暴露面:版本会影响安全性、可复现性和升级成本。
何时提供此工作流
触发条件:
- - Dependabot 噪声;主版本升级
- CVE 响应或许可证审计
- 因未锁定依赖项导致在我机器上能运行
初始提供:
使用六个阶段:(1) 清单与风险、(2) 策略与节奏、(3) 锁文件与可复现性、(4) 升级与测试、(5) 安全与许可、(6) 治理与工具)。确认生态系统(npm、pip、Maven、Go 模块等)。
阶段 1:清单与风险
目标: 直接依赖项与传递依赖项;标记关键包(加密、认证、解析、序列化)。
退出条件: 主要应用的 SBOM 或导出清单;关键依赖项列表。
阶段 2:策略与节奏
目标: 何时升级(基于时间还是按需);库与应用的 SemVer 规则。
阶段 3:锁文件与可复现性
目标: 可部署应用的已提交锁文件;库针对兼容性矩阵进行测试,而非单个冻结锁文件。
阶段 4:升级与测试
目标: 在可行时,每个 PR 优先进行一次主版本升级;针对支持的语言/运行时版本进行 CI 矩阵测试。
阶段 5:安全与许可
目标: SCA 扫描;按严重级别制定补丁 SLA;合规性许可白名单。
阶段 6:治理与工具
目标: Renovate/Bot 策略;锁定内部包;记录例外和覆盖规则。
最终审查清单
- - [ ] 已知清单和风险热点
- [ ] 已记录升级节奏和语义版本策略
- [ ] 按仓库类型配置锁文件或矩阵策略
- [ ] CI 验证升级
- [ ] 强制执行 SCA 和许可策略
有效指导技巧
- - 传递性 CVE 可能需要覆盖规则——追踪依赖关系图。
- 锁定 CI 镜像和工具链,而不仅仅是应用依赖项。
处理偏差
- - 单体仓库:使用 Nx/Bazel 等共享版本——协调破坏性升级。
