Hamburger Cross Icon
Dependency Guardrails - Lunar Policy for Security And Compliance

Dependency Guardrails

Policy Stable Security And Compliance

Enforce dependency version requirements across your codebase. Ensure libraries meet minimum safe versions to address security vulnerabilities and maintain compatibility standards.

Add dependencies to your lunar-config.yml:
uses: github://earthly/lunar-lib/policies/dependencies@v1.0.0
Get Started View on GitHub

Included Guardrails

This policy includes 1 guardrail that enforce standards for your security and compliance.

Guardrail

min-versions

Ensures dependencies meet minimum safe version requirements. Validates that project dependencies are at or above specified versions to enforce security patches and compatibility standards.

dependency versions minimum version security semver
View Guardrail

How Guardrails Fit into Lunar

Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.

Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards This Policy
Real-time feedback in PRs and AI workflows

Required Integrations

This policy evaluates data gathered by one or more of the following integration(s). Make sure to enable them in your lunar-config.yml.

Collector LanguagesBuild Required
Go Collector

Provides Go module dependency data

Configuration

Configure this policy in your lunar-config.yml.

Inputs

Input Required Default Description
language Required Programming language to check (e.g., "go", "java", "python", "nodejs")
min_versions Optional {} JSON object mapping dependency paths to minimum safe versions (e.g., {"github.com/example/lib": "1.0.0"})
include_indirect Optional false Whether to also check indirect (transitive) dependencies

Documentation

View on GitHub

Dependency Guardrails

Policies for validating project dependencies.

Overview

This policy plugin validates that project dependencies meet organizational requirements. It's useful for enforcing security patches, ensuring compatibility with internal libraries, or mandating upgrades for dependencies with known vulnerabilities. The policies work across multiple languages by reading from the standardized .lang.{language}.dependencies paths.

Policies

This plugin provides the following policies (use include to select a subset):

Policy Description Failure Meaning
min-versions Ensures dependencies meet minimum safe versions One or more dependencies are below the required minimum version

Required Data

This policy reads from the following Component JSON paths:

Path Type Provided By
.lang.{language}.dependencies.direct array Language-specific collectors (e.g., golang)
.lang.{language}.dependencies.direct[].path string Dependency identifier
.lang.{language}.dependencies.direct[].version string Version string
.lang.{language}.dependencies.indirect array Language-specific collectors (when include_indirect is enabled)

Note: Ensure the corresponding language collector is configured before enabling this policy.

Installation

Add to your lunar-config.yml:

policies:
  - uses: github://earthly/lunar-lib/policies/dependencies@v1.0.0
    on: ["lang:go"]  # Or use appropriate tags
    enforcement: block-pr
    with:
      language: "go"
      min_versions: '{"github.com/example/lib": "1.2.0", "golang.org/x/crypto": "0.17.0"}'
      # include_indirect: "true"  # Optional: also check transitive dependencies

Examples

Passing Example

{
  "lang": {
    "go": {
      "dependencies": {
        "direct": [
          {"path": "github.com/example/lib", "version": "v1.3.0"},
          {"path": "golang.org/x/crypto", "version": "v0.18.0"}
        ]
      }
    }
  }
}

Failing Example

{
  "lang": {
    "go": {
      "dependencies": {
        "direct": [
          {"path": "github.com/example/lib", "version": "v1.1.0"}
        ]
      }
    }
  }
}

Failure message: "'github.com/example/lib' version v1.1.0 is below minimum safe version 1.2.0"

Remediation

When this policy fails, update the affected dependency to meet the minimum version:

# Go
go get github.com/example/lib@v1.2.0 && go mod tidy

# Node.js
npm install example-lib@1.2.0

# Python
pip install "example-lib>=1.2.0"

Version Format Issues

If you see "Cannot parse version" errors, ensure versions follow semver format:

  • Supported: 1.2.3, v1.2.3, 1.0.0-alpha, 1.0.0-beta.1
  • Go pseudo-versions: v0.0.0-20240101-abcdef (parsed as prerelease)
  • Not supported: Date-based (2024.01.15), CalVer (2024.1), or non-numeric (latest)

Open Source

This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore how individual guardrails work with specific integrations.

+
Min Versions + Go Collector Ensures dependencies meet minimum safe version requirements. Validates that...

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Book a Demo
See it work with your own use cases
See How It Works