Picking a Winner: How to Pick the Right Dependency Resolution Graph

Explore the complexities of dependency resolution in open-source software development through this 48-minute conference talk by Eve Martin-Jones and Josie Anugerah from Google. Delve into the challenges faced by dependency resolvers when generating valid transitive dependency graphs based on seemingly simple direct dependencies. Gain insights into how the intricacies of dependency resolution interact with features and bugs in popular package management tools like npm, Maven, Go, and PyPI. Understand the implications for open-source maintainers and consumers, including the difficulties in enforcing and predicting dependency sets. Examine the impact of these complexities on software artifact standards such as SBOM and SLSA, and learn about the broader implications for the open-source ecosystem.

Picking a Winner: How to Pick the Right Dependency (Resolution...- Eve Martin-Jones & Josie Anugerah