A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralized code repositories, such as Maven, PyPI or NPM. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. As recent events such as the LeftPad incident, which led to hundreds of thousands of websites to stop working, and the Equifax data breach, which led to a leak of hundreds of thousands of credit card numbers, have demonstrated, dependencies on networks of external libraries can introduce significant operational and compliance risks as well as difficulties to assess security implications.

What to do about that? What are the existing solutions and their limits? What future improvements can we expect from industry or from research? This Devroom is dedicated to discussing software dependencies and package dependency networks: issues, solutions and best practices:

• tools that help solve the dependencies issues
• use cases and examples of troubles encountered and impact of dependencies issues