Google has built an online tool that maps out all the dependencies in millions of open-source software libraries and flags up any unpatched vulnerabilities.
This is useful for finding out what exactly is inside the libraries used by your programming projects, and crucially, whether they contain hidden security bugs that haven't been fixed. Thus, you can choose another set of packages, or help get the holes patched, to avoid leaving your application exploitable.
These days, when you pull a library into a project, you're typically pulling in dozens of dependencies and sub-dependencies of that library. And any of these components could – and do – contain security holes, which may leave the parent program vulnerable to attack.
These dependencies can also break or google dependency mapping security flaws buried projects
