35. Reduce risk in the software supply chain
Use dependency audits, lockfiles, signed releases, software bills of materials, least-privilege CI tokens, and trusted package sources. This chapter covers the modern risk that a project can be compromised through the code it depends on.