Andrew Nesbitt
The Fragmented World of Dependency Policy: https://nesbitt.io/2026/03/19/the-fragmented-world-of-dependency-policy.html
The Fragmented World of Dependency Policy

Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

Andrew Nesbitt
Mar 19 at 11:06amWeb
Show threadJosh Bressers4d ago

@andrewnez This is a great observation, I've never really put this together before now

I have a feeling we won't see anything change anytime soon. The consumers that care about this data is a pretty low number (maybe the CRA will change that)

I also don't see any real cooperation or communication between any of the tools vendors. I will partially blame a lack of venues for this

All of the existing trade groups or foundations that would publish such standards are rather anemic in this space

Show threadThomas Depierre4d ago

@joshbressers @andrewnez my answer is. This is a consumer side problem. Consumer side cannot organise except through trade association or vendors.

Consumer side want fully integrated solutions in the vendor, not making their own choices.

Hence, no solution

Show threadJamie Tanna4d ago
Rego + OPA is what I used for Dependency Management Data and aside from a bit of a learning curve to get started, it was really quite nice to be able to provide more complex rules for your policies
Dependency Management Data

Dependency Management Data