Aplikasi modern menggunakan banyak dependensi pihak ketiga (library, package), yang dapat mengandung vulnerability atau bersifat berbahaya. Mengelola keamanan dependensi — scanning, updating, dan vetting — penting dilakukan, karena dependensi yang rentan adalah vektor serangan yang umum (OWASP).
Risiko: dependensi adalah bagian dari attack surface Anda
Apps depend on MANY third-party packages (and their transitive dependencies):
→ a vulnerability in ANY dependency is a vulnerability in YOUR app
→ "using components with known vulnerabilities" is an OWASP Top 10 risk
→ MALICIOUS packages (typosquatting, compromised packages) — supply chain attacks
→ you're trusting/running a lot of code you didn't write.
