Follow the Open Source Security Foundation (OSSF) Concise Guide for developing more secure software
Keep it simple and stupid (KISS)
Automated dependency updates
Generate a Software Bill of Materials (SBoM)
Scan for vulnerabilities and audit
Scan for license compliance
Sign artifacts
Create attestations (signed metadata for artifacts)
Create provenence (signed description of artifact creation)
XKCD 2347 by Randall Munroe, XKCD
Let’s say, you have done all of the above
How can you be sure that your dependencies are maintained?
Will a vulnerability be fixed quickly?
Every dependency is a risk - unmaintained even more so
Follow the Open Source Security Foundation (OSSF) Concise Guide for evaluating open source software