TypeScript dependency management

Generated TypeScript SDKs include dependencies that require ongoing maintenance to ensure security and stability.

Set up automated dependency scanning

We strongly recommend configuring a dependency scanning tool on your SDK repository. If your organization already uses a scanning tool, configure it for your SDK repository as well. Popular options include Dependabot  (GitHub native), Snyk , and Semgrep . These tools automatically monitor your dependencies and create pull requests when updates are available.

Keep dependencies updated

For TypeScript SDKs, lock files like package-lock.json freeze dependency versions at SDK generation time. To refresh to the latest secure versions:

rm -rf package-lock.json && rm -rf node_modules
npm install

Adopt dependency cooldowns

Consider implementing a dependency cooldown strategy where you wait a period (for example, 7-14 days) before adopting newly-published package versions. This practice helps protect against supply chain attacks. Recent incidents have shown that compromised packages are often caught and removed within the first few days of publication. A cooldown period allows the community to vet new releases before they enter your codebase.