Every Dependency You Add is a Supply Chain Attack Waiting to Happen

Source: benhoyt.com

Date: April 2026

Tags: security supply-chain devops

The Core Message

It's not every dependency you add that's a problem — it's every dependency you update. When you first evaluate a dependency and add its hash to your lockfile, you probably did due diligence. But with automated updates (like Dependabot), dependencies get updated automatically with little review.

Recent Examples

• XZ backdoor — major supply chain compromise
• Trivy incident — dev dependency (not even runtime!) compromised
• LiteLLM compromise — caused by Trivy

Key Recommendations

1. Turn off Dependabot — "In my experience, we get more problems from automatic updates than we would by staying on the old versions until needed."
2. Think twice before adding dependencies — As the Go proverb says: "a little copying is better than a little dependency"
3. Fewer dependencies = smaller programs + safer programs

Context

This essay follows Ben Hoyt's earlier piece "The small web is beautiful" where he discussed how using fewer dependencies makes programs smaller. This article extends that argument to security.

"The careful reader may note that my title is not quite accurate. It's not every dependency you add that's a problem; it's every dependency you update."

Why This Matters

The software industry has been trained to automatically accept updates. But automated dependency updates are a double-edged sword — they can bring in compromised packages without thorough human review. The XZ backdoor and Trivy incidents show that even security-focused tools can be vectors for attack.