Dependency Governance

On This Page

1	Overview	2	Dependency Evaluation Criteria
3	Approval Process	4	Continuous Monitoring
5	Anti-Patterns to Avoid	6	References

Overview

Dependency governance applies across the full lifecycle of a dependency: evaluation before adoption, approval before first use, monitoring for vulnerabilities and licence changes after adoption, and planned retirement when alternatives become superior or the dependency is abandoned. The governance process is lightweight enough to accommodate normal development velocity while providing the oversight required for regulated industries.

Dependency Evaluation Criteria

Before a new dependency is added to any Ascendion mobile project, evaluate it against six criteria:

1. Necessity: Does this dependency solve a problem that cannot be solved acceptably in 40 hours of custom implementation? If the dependency provides 500 lines of genuinely complex logic (cryptography, complex parsing, platform-specific hardware integration), adoption is justified. If it wraps 20 lines of standard library code, build the 20 lines.

2. Security Posture: Check for known CVEs (OWASP Dependency Check), review the project's security disclosure policy, verify recent security audit history for SDKs handling sensitive data (payment SDKs, identity SDKs). Reject dependencies with unpatched P1/P2 CVEs.

3. Maintenance Activity: Last commit date, issue resolution velocity, open critical issues, responsive maintainers. A dependency with no commits in 18 months and 50 open issues is a liability regardless of its current functionality.

4. Licence Compatibility: Verify the licence is compatible with the project's licence and the client's commercial terms. GPL/AGPL licences require the entire application source to be open-sourced — incompatible with proprietary commercial applications. MIT, Apache 2.0, and BSD are generally safe.

5. Size Impact: Mobile applications have install size budgets. An SDK that adds 3MB to an APK or IPA must justify that cost with commensurate value. Use tools: Android Studio APK Analyser, iOS App Thinning report.

6. Privacy Implications: SDKs that collect analytics data, advertising identifiers, or behavioural telemetry require privacy impact assessment and disclosure in the App Store privacy nutrition label. For regulated industries, third-party analytics SDKs may require explicit user consent.

Approval Process

All new dependencies pass through the Dependency Review Gate before first commit:
1. Engineer proposes dependency with evaluation criteria completed
2. Tech Lead reviews and approves for standard dependencies (MIT/Apache, no CVEs, active maintenance)
3. Security Architect reviews for security-sensitive dependencies (authentication, cryptography, payment)
4. ARB reviews for dependencies with GPL licences, privacy implications in regulated apps, or size impact above 1MB

Continuous Monitoring

Dependabot configured on all repositories: scans for new CVEs daily, opens PRs for security updates automatically. SLA for security updates: P1 (CVSS 9.0+) within 72 hours, P2 (CVSS 7.0-8.9) within 1 week, P3 within 1 month. SBOM (Software Bill of Materials) generated at each release using CycloneDX, stored in the release artefact registry.

Anti-Patterns to Avoid

⚠ 1. Dependency as Default Reflex

Adding a library as the first response to any new requirement without evaluating whether the standard library or existing dependencies already cover the need.

Hover to see the fix ↻

↺ Correct Approach

Check existing dependencies first. Check the standard library. Implement from scratch if the implementation is under 40 hours and the logic is not cryptographic or hardware-specific. Document the build-vs-adopt decision in the ticket.

⚠ 2. Ignoring Transitive Dependencies

Auditing direct dependencies but not their transitive dependencies. The dependency you trust may depend on a compromised library.

Hover to see the fix ↻

↺ Correct Approach

OWASP Dependency Check analyses the full dependency tree, including transitive dependencies. The SBOM includes all transitive dependencies.

Flowchart

%%{init:{'theme':'base','themeVariables':{'fontSize':'14px','fontFamily':'IBM Plex Sans, system-ui, sans-serif','primaryColor':'#DBEAFE','primaryTextColor':'#1e3a5f','primaryBorderColor':'#2563EB','lineColor':'#374151','clusterBkg':'#F9FAFB','clusterBorder':'#D1D5DB','edgeLabelBackground':'#FFFFFF'},'flowchart':{'curve':'orthogonal','padding':30,'nodeSpacing':65,'rankSpacing':75,'useMaxWidth':true}}}%% flowchart TD PROP["Engineer Proposes New Dependency"] --> EVAL subgraph EVAL["📋 Evaluation Criteria"] NEC["Necessity < 40hrs to build yourself?"] SEC["Security CVE check · Disclosure policy"] MAINT["Maintenance Last commit · Open issues"] LIC["Licence MIT / Apache 2.0 preferred No GPL in proprietary apps"] SIZE["Size Impact APK Analyser · App Thinning"] PRIV["Privacy Data collection · Consent needed?"] end EVAL --> GATE subgraph GATE["🚦 Approval Gate"] TL["Tech Lead Review Standard dependencies"] SA["Security Architect Review Auth · Crypto · Payment SDKs"] ARB["ARB Review GPL · Privacy impact · Size > 1MB"] end GATE --> MON subgraph MON["📊 Continuous Monitoring"] DEP["Dependabot Daily CVE scan Auto PR for security updates"] SBOM["SBOM per Release CycloneDX format Full dependency tree"] SLA["Patch SLA P1 CVE: 72hr P2 CVE: 1 week"] end style EVAL fill:#E3F2FD,stroke:#1565C0 style GATE fill:#FFF3E0,stroke:#E65100 style MON fill:#E8F5E9,stroke:#1B5E20

References

OWASP — Dependency Check. owasp.org/www-project-dependency-check
NTIA — Software Bill of Materials. ntia.gov/sbom
CycloneDX — SBOM Standard. cyclonedx.org
Google — Play SDK Index. developer.android.com/distribute/sdk-index

Mobile Engineering Reference

← Mobile Development