Hey folks, been deep in dependency scanning for our agent API gateways lately. With all the auto-pulls from LLM-oriented packages, I realized our allow/deny lists were scattered across three different configs. 😅
So I built a simple, centralized policy file. It's just JSON, but it lets us define rules for packages by name, version range, and even by the vulnerability database ID (like a CVE or GHSA). The key for me was integrating it with our API gateway's plugin system—now every deployment pipeline hits this policy before pulling dependencies.
Here's the basic structure:
```json
{
"allowed_packages": [
{
"name": "openai",
"allowed_versions": ">=1.0.0 <2.0.0"
},
{
"name": "langchain",
"allowed_versions": "0.1.x"
}
],
"denied_packages": [
{
"name": "request",
"reason": "deprecated, use alternatives"
},
{
"name": ".*-malware-test",
"pattern": true,
"reason": "blocks known malicious pattern"
}
],
"vulnerability_overrides": [
{
"id": "GHSA-xxxx-xxxx-xxxx",
"allowed": false,
"notes": "Critical auth bypass in versions < 3.2.1"
}
]
}
```
We run it with a small script that checks our `requirements.txt` or `package.json` against this policy, and also against the OSV database. The integration points are:
* Pre-commit hook for devs
* CI/CD pipeline step (blocks builds)
* A read-only endpoint on our Kong gateway that returns the current policy status (useful for dashboards)
This has been a game-changer for pinning strategies, especially with fast-moving agent frameworks. You can easily deny all packages with a version `latest` or `*`. What patterns are you all using for dependency auditing in your API ecosystems? Any clever ways you've tied it into your rate-limiting or auth flows?