🪟 Live Share Canvas EoP (CVE-2026-45644) is your reminder that “SDK security” is desktop security in disguise. Patch discipline ≠ optional—confidence is the real victim here. windowsforum.com/threads/cve… #SoftwareSupplyChain #DependencyManagement #CveSecurity #MicrosoftLiveShare

One number worth knowing: ~95% CVE reduction for open source components governed by a verified catalog vs. the same packages pulled from npm directly. Not because they are older. Because they cleared a security threshold before ingestion. Cooldowns delay exposure. Provenance-based governance prevents it. #SoftwareSupplyChain #OpenSourceSecurity #DependencyManagement Read more at buff.ly/kLYTGA0

Want to add to "<dependencyManagement>" instead of "<dependencies>"? $ mvn dependency:add \ -Dgav=groupId:artifactId \ -Dmanaged Very useful for parent POMs and centralized version management.

Most delivery leaders track one type of dependency. There are 12. That’s why projects slip. Not because the work is hard. Because someone is waiting on something nobody saw coming. → Waiting on approvals → Waiting on data → Waiting on a key person who’s overallocated → Waiting on compliance review → Waiting on assumptions that were never validated And by the time it surfaces, you’ve already lost days. Sometimes weeks. The best delivery leaders don’t just manage tasks. They manage the invisible web of dependencies that holds everything together. ✔️ Identify. ✔️ Visualize. ✔️ Act. Before the wait becomes a delay. Save this breakdown of all 12 dependency types. Share it with your team. This is the kind of signal @ExecuteIQ is designed to surface, before it becomes a fire. What dependency type burns your team the most? Drop it below 👇 #AIinProjectManagement #DeliveryLeaders #ExecutionIntelligence #PMO #Agile #Scrum #projectmanager #DependencyManagement #PortfolioManager #CIO #ProgramManager #RiskManagement . .

Solve the "Transitive Trap" 🪤 Direct dependencies are easy. Transitives are where vulnerabilities hide. #Gradle #GitHubActions now automate the submission of your entire resolved graph. Stop auditing. Start automating. 🛡️ Details: blog.gradle.org/avoid-supply… #Security #SoftwareEngineering #DependencyManagement

🔍 Still scattering dependency versions across multiple build.gradle files? There’s a better way! 📦 Version Catalogs = ✅ Centralized dependency definitions ✅ Easier upgrades ✅ Fewer bugs ✅ Happier teams Modern, clean, and officially recommended by Gradle 📘 docs.gradle.org/current/user… #Gradle #Java #Kotlin #DevTips #BuildLogic #DependencyManagement #CleanCode #BestPractices

🎥 Publishing a C library should be boring and reliable. In this video, I’m publishing tree v0.4.0 into the Vix Registry, then consuming it immediately from a real Vix application. What you see, step by step: • Git tag v0.4.0 • Exact commit resolution (f7db5f4c6e7…) • Local registry sync (vix registry sync) • One command to publish: vix publish 0.4.0 • Automatic PR generated against the registry index • Dependency upgraded in an app with: vix add tree@0.4.0 • vix.lock updated with an immutable, commit-pinned dependency No manual metadata. No central service. No proprietary registry backend. 🧠 What this demonstrates Vix Registry is: • Git-native • Offline-first • Commit-pinned • Fully auditable • Reproducible by design Publishing a C library does not require changing how you develop today. If your library: • lives on GitHub/GitLab • uses Git tags • is header-only or CMake-based 👉 it can be published to the Vix Registry in minutes. 📦 For consumers, this means: • deterministic builds • no “latest version” surprises • no dependency drift • zero network access after sync This is not about convenience hacks. It’s about building C infrastructure you can trust for the next 10 years. If you maintain a C library and care about: reproducibility, long-term stability, and developer trust you’re exactly who this is for. ⭐ Runtime → github.com/vixcpp/vix 📦 Registry → github.com/vixcpp/registry #cplusplus #vixcpp #opensource #devtools #dependencyManagement #buildsystems #softwareengineering

You can now search the Vix Registry locally. Here, a simple: vix search tree shows that tree a third-party C library has been updated to v0.2.0 by its maintainer. What this demonstrates: • registry index synced locally • versioned packages discoverable offline • clear ownership (namespace/name) • latest version resolved explicitly • dependencies pinned to immutable commits No central service. No hidden resolution. Just a transparent, Git-native C dependency registry. ⭐ github.com/vixcpp/vix #cpp #dependencyManagement #registry #opensource #vixcpp

C dependency management doesn’t have to be fragile. With Vix.cpp, adding a dependency is explicit and reproducible: • vix add gaspardkirira/tree@0.1.0 • pinned to an immutable git commit • recorded in vix.lock • works offline after sync No central server. No hidden resolution. Just a clean, CLI-driven C workflow. ⭐ github.com/vixcpp/vix #cpp #dependencyManagement #runtime #vixcpp #opensource

One of the biggest friction points in C is dependency management. For Vix.cpp, I’m building something different: an offline-first registry, fully integrated into the CLI. What this means in practice: • the registry is Git-based (no server, no API, no auth) • dependencies are synced locally with a single command • packages are pinned to immutable commits for reproducible builds • projects are driven by a simple vix.lock file • unused packages can be garbage-collected safely The goal is twofold: 1. Allow developers to publish C libraries that integrate naturally into Vix 2. Accelerate Vix development itself by composing reusable, versioned components Everything works offline first, then syncs when you decide. No magic. No hidden infrastructure. This is an early but foundational step toward a Vix-native C ecosystem. ⭐ github.com/vixcpp/vix #Cplusplus #DependencyManagement #OfflineFirst #DeveloperTools #Runtime #OpenSource #Vixcpp

Stop wrestling with complex C dependency commands! 🤯 See how the new conan.io MCP Server uses #AI to revolutionize your C/C workflow and save you hours every week! 🏎️ Need speed? Go from zero to a fully packaged project in seconds using natural language prompts. ⚙️ Aiming for more efficiency? Define dependencies, search for packages (filtering by arch, OS, etc.), and manage profiles without memorizing Conan syntax. 🛡️Looking to embed more #security? Get automatic vulnerability checks and license compliance audits instantly. Ready to learn more: bit.ly/4rGYjsh #Conan #ConanMCP #Cpp #AIDev #DependencyManagement #PackageManagement

✅ DEV Track Spotlight: Compile blazing-fast MCP servers in Rust (DEV405) #RustProgramming #MCPServers #DependencyManagement #AWSreInvent #CodeTalk ift.tt/aFTxYyz

Stop wrestling with complex C dependency commands! 🤯 See how the new @conan_io MCP Server uses #AI to revolutionize your C/C workflow and save you hours every week! 🏎️ Need speed? Go from zero to a fully packaged project in seconds using natural language prompts. ⚙️ Aiming for more efficiency? Define dependencies, search for packages (filtering by arch, OS, etc.), and manage profiles without memorizing Conan syntax. 🛡️Looking to embed more #security? Get automatic vulnerability checks and license compliance audits instantly. Ready to learn more: bit.ly/4rGYjsh #Conan #ConanMCP #Cpp #AIDev #DependencyManagement #PackageManagement

dependencyManagement redd.it/1ou11pn

🎪Automated Dependency Conflict Resolution in Gradle/Maven (ship faster, break less) Nothing derails a Java release like a version tug-of-war. Two transitive deps want different Guava/Jackson/SLF4J. Boom. Classpath roulette. Here’s how teams automate their way out of it 👇 ◾ Know the default rules (so you can override them) • Maven: nearest-wins (the dependency closest to your project in the tree). • Gradle: newest-wins (highest version by default). Neither rule guarantees safety. Add guardrails. ◾ Guardrails that catch conflicts early • Maven Enforcer: requireUpperBoundDeps, banDuplicateClasses → fail fast. • Gradle: resolutionStrategy.failOnVersionConflict() in configs that matter. • CI: make conflicts a build failure, not a log warning. ◾ Centralize versions (single source of truth) 1. Maven: <dependencyManagement> import BOMs (Spring, Jakarta, etc.). 2. Gradle: platform() / enforcedPlatform() Version Catalogs (libs.versions.toml). 3. No more scattered versions across submodules. ◾ Pin reality (reproducible builds) Gradle Dependency Locking: lock resolved versions; review diffs in PRs. Maven: lock via BOMs explicit versions; keep ranges out of prod. Use Renovate/Dependabot to propose safe bumps with tests. ◾ Teach the resolver what “good” looks like Gradle Constraints: dependencies { constraints { implementation("x:y:1.2.3") } } Maven: put the version you want in <dependencyManagement>; let transitives follow. For “must-have” fixes, prefer enforcedPlatform (Gradle) or imported BOM (Maven). ◾ Exclude noise, not signal Exclude only the exact troublemaker (exclusion in Maven, exclude group/module in Gradle). Replace with the managed version via BOM/constraint—don’t leave gaps. ◾ Observability for dependencies (make it a habit) Inspect deltas on every PR: Gradle: dependencyInsight, dependencies Maven: dependency:tree -Dverbose Track duplicate classes & mixed major versions in CI. ◾ Production hygiene Prefer shaded artifacts only for edge cases (agents, fat jars). Keep ABI compatibility in mind; read release notes on major bumps. Add smoke tests that exercise common serialization/logging paths (where conflicts bite). ⚡ Workflow that scales BOM/Platform defines the truth. CI fails on conflicts (Enforcer / failOnVersionConflict). Lockfiles/BOM diffs reviewed via Renovate/Dependabot. Smoke tests duplicate-class checks keep runtime clean. Takeaway Dependency resolution shouldn’t be art. Automate the rules, centralize versions, and fail fast—so your Java services ship predictably. ➕ Follow me, @kisalay_Cool95 , for Java, Build Engineering & System Design playbooks ♻️ Reshare to help your team end “it works on my machine” for good #Java #Maven #Gradle #BuildEngineering #DevOps #BOM #DependencyManagement

Poetry, A Better Version of Python Pipenv #Python #Pipenv #Poetry #Dependencymanagement #Packaging plainenglish.io/blog/poetry-…

dependencyManagementでbomを書く順番で解決される推移的依存関係のバージョン変わって、超ハマった気がする

複数の推移的依存関係の間のバージョン解決はnearst-winsだと思うんですが、dependencyManagementもそうなんですかね？先の例だとspring-boot-dependenciesとjunit-bomで依存関係ツリーの長さって違いが無い気がして。

If deps can not be resolved a "mvn clean install" will not solve the problem. Wrong. Plugin Version conflict? How does this happen? If you even have that(which I doubt): Use pluginManagement and NOT dependencyManagement. That's wrong.

🌟 Why Uv outshines Poetry for dependency management! 🌟 @fmind_dev explains how Uv is faster, simpler, and more PEP-compliant. Key Insights: Speed, PEP Compliance, Integration, Versatility. Full blog 👉 home.mlops.community/public/… #mlops #uv #poetry #dependencymanagement