a dependency • For small, inherits.js-like packages just re-implement it • Actively monitor vulnerabilities in the transitive closure • More intelligent, integrated tools • Better governance of dependency management practices
of transitive includes • connect ecosystems to security advisories • dependency health and ecosystem stability ratings • Better analysis: understand which parts of the dependency code are actually used • A semantic versioning system that everybody agrees upon • Qualitative work: How developers approach dependency management? • Replicate in other ecosystems