Dependency & Third-Party Code Review Framework

Dependency reviews fail when they only evaluate whether the library does what the developer needs — without evaluating whether the library is maintained, whether it has known vulnerabilities, whether its license is compatible with the project's, and whether it's used in a way that prevents replacement. A dependency that becomes unmaintained, gets compromised, or has an incompatible license is a liability that must be removed — and removal is proportional to how tightly the codebase is coupled to it.

The Dependency Review Framework evaluates new dependencies across security, maintenance health, license, and coupling dimensions, and identifies existing dependencies that have become risks.