Prompt
When introducing new dependencies, especially those handling sensitive operations like language interpreters, perform comprehensive security due diligence before adoption. Evaluate each dependency against these security criteria:
- Maintenance health: Check for active development, large user base, and responsive contributors.
- Security track record: Review CVE history to confirm security issues are promptly addressed.
- Security integration: Verify integration with vulnerability tracking systems like GitHub advisories.
- Contingency planning: Document alternatives if the dependency becomes unmaintained.
For critical dependencies, document your findings in a security assessment that includes:
- Vulnerability history analysis
- Update frequency and responsiveness
- Embedded component maintenance strategy (if applicable)
- Security monitoring approach
Example from assessment:
// Security-vetted dependency
[dependencies.pyo3]
version = "0.23.3" // Includes fix for CVE-2024-9979
Always maintain awareness of dependency status. When a critical dependency becomes unmaintained (as happened with PyOxidizer), promptly implement your contingency plan by switching to maintained alternatives (like using pyo3 with python-build-standalone).