Risk Categories in Software Dependencies

Vulnerability risks represent the most visible category of dependency threats. Known vulnerabilities with CVE identifiers affect thousands of components, from critical remote code execution flaws to minor information disclosure issues. The Log4j vulnerability demonstrated how a single critical flaw in a widely-used component could impact millions of applications globally. These vulnerabilities might exist in current versions or only affect older versions, requiring careful version management.

License compliance risks, while less dramatic than security vulnerabilities, can have serious business impacts. Open source licenses range from permissive (MIT, Apache) to restrictive (GPL, AGPL), each with different obligations. Using a GPL-licensed component in proprietary software might require releasing source code. Incompatible license combinations can create legal exposure. Commercial components bring their own licensing requirements that must be tracked and managed. Organizations have faced lawsuits and been forced to rebuild applications due to license violations.

Operational risks arise from depending on components that might become unavailable or unmaintained. The JavaScript community's "left-pad" incident, where removal of a trivial 11-line package broke thousands of applications, highlighted how operational dependencies create fragility. Components might disappear from repositories, maintainers might abandon projects, or breaking changes might make upgrades difficult. These risks require contingency planning beyond security patching.