Dependency Management evaluates how effectively the team tracks, updates, audits, and secures third-party libraries and internal dependencies. Poor dependency management leads to security vulnerabilities from outdated packages, version conflicts, and painful upgrade migrations. Strong practices include automated vulnerability scanning, clear upgrade paths, and minimal dependency sprawl.
Effort to manage external and internal dependencies. Elite level: single version policy.
SIGNIFICANTLY IMPROVED: This is a primary monorepo advantage. Single version policy eliminates 'dependency hell.' One Guava update fixes all services in one commit vs. months of coordination across repos. ~20% of PRs hit lockfile conflicts in large JS monorepos though.
Dependency conflicts multiply with team count. Version drift across services creates 'dependency hell' at scale. CVE response time grows with affected surface area.
Complex dep trees slow resolution.
Outdated deps accumulate breaking changes.
Unpatched CVEs in outdated deps.