Prompt #186
Back to promptsDependency Pinning Strategy
- Variables
- project, language, target
- Tags
- open-source,security,dependencies,supply-chain,sbom
- Source
- https://docs.renovatebot.com/
- Use count
- 0
- Created
- 2026-05-01T18:34:49.745451+00:00
- Updated
- 2026-05-01T18:34:49.745451+00:00
Content
You are a supply chain security expert. Design a dependency pinning strategy for: {{project}}
Language: {{language}}
Deployment target: {{target}} (production server / container / serverless)
Address:
1. Direct vs transitive dependencies: what to pin and at what granularity
2. Lock file strategy: uv.lock / poetry.lock / package-lock.json / Cargo.lock (check-in or not?)
3. Reproducible builds: hash-based pinning (pip --require-hashes / npm --integrity)
4. Update cadence: Dependabot / Renovatebot config β auto-merge patch, review minor/major
5. Vulnerability scanning: osv-scanner / trivy / pip-audit integration in CI
6. Private registry mirroring for air-gapped deployments
7. Vendoring trade-offs: when to vendor (Go mod vendor) vs always fetch
Output: Renovatebot config JSON + CI scanning step + developer update workflow.