One particularly challenging aspect of dependency management is security. Much like technical debt and refactoring, security vulnerabilities can be time-consuming to manage, with little upside for the developer, coupled with the fear of an extremely bad situation if they miss something important. In a commercial setting, developers are paid to deal with the things they don’t feel like doing. In open source, where so much work runs on personal motivation, security can easily fall by the wayside.
