All about dependencies

Every dependency is a design decision.

Modern software systems rely heavily on third-party libraries. They speed up development and extend capabilities, but they also introduce hidden risks: security vulnerabilities, maintenance uncertainty, licensing exposure, and long-term operational costs.

This talk explores dependency management as a core architectural concern. Instead of treating dependencies as simple downloads, we examine them as long-term commitments that shape the resilience, maintainability, and evolution of software systems.

Expect to discover specific tools that help address compliance and decision-making concerns.

Who is this for?

• Software engineers building long-lived systems
• Architects responsible for system sustainability
• Technical leads managing dependency-heavy codebases

Level

Practitioner to advanced

What this session covers

• The hidden risks of modern dependency ecosystems
• Transitive vulnerabilities and ecosystem fragility
• Evaluating dependency sustainability beyond popularity metrics
• Architectural patterns that allow dependencies to be replaced or contained
• How regulation and supply chain security affect engineering decisions

Key takeaways

• How to evaluate the long-term risk of a dependency
• Architectural techniques that reduce dependency lock-in
• Practical ways to design systems that remain adaptable when dependencies fail

What it’s not

• Not a legal or compliance talk
• Not a package manager tutorial
• Not a security-only discussion

Full description

Modern software is built on dependencies. They accelerate delivery, extend capabilities, and allow teams to focus on differentiation. But every import is an architectural decision with long term consequences. Beneath the convenience of package managers lie transitive vulnerabilities, maintenance risks, hidden operational costs, license exposure, performance trade offs, and ecosystem fragility.

The real cost of adopting a dependency is the probability of failure multiplied by its impact. What seems efficient today can become technical debt tomorrow when maintainers disappear, APIs shift unexpectedly, governance models change, or security flaws surface deep in transitive trees. Systems that must live for years inherit not just functionality but assumptions about threading, memory, serialization, and lifecycle management.

In regulated environments shaped by the EU Cyber Resilience Act, dependency decisions intersect with secure by design and secure by default obligations, SBOM transparency, and supply chain accountability. However, dependency risk is not merely an infrastructure or compliance problem. It is a core software engineering concern. Architectural boundaries, upgrade strategies, abstraction choices, and test isolation determine whether a dependency can be replaced, patched, or contained when it fails. These are design decisions made in code, not policies written in audit documents.

This session reframes dependency management as strategic engineering rather than administrative hygiene. We examine how to evaluate long term sustainability, assess project health beyond popularity metrics, manage upgrade fatigue, design for replaceability, and build systems that remain adaptable as ecosystems evolve.

Dependencies are not downloads. They are commitments that shape system behavior, resilience, and long term ownership. This talk equips teams to choose them deliberately, responsibly, and with sustained engineering stewardship in mind.