# Dependency Policy

## Goals

Reduce supply chain risk by controlling sources, versions, and updates.

## Rules

- Pin versions and verify signatures when available
- Maintain SBOM and update per iteration
- Apply security updates on a fixed cadence
- Block known-bad licenses if applicable

## Processes

- New dependency review checklist
- Periodic audit and removal of unused deps
- Automated alerts on CVE advisories