2026-03-22 –, Teresa Yuchengco Auditorium (Main Hall)
Every modern Python project depends on dozens (sometimes hundreds) of third-party packages. Each of them can - and regularly does - receive security advisories, patches, or CVEs. Even if you “just build business logic”, you inherit all the risks of your supply chain.
This talk is a practical introduction for early-career developers: why dependency security matters, how to audit your environment with pip-audit, what went wrong in several real CVEs found in 2025, and how to build a lightweight but reliable patching workflow without breaking your production environment.
Perfect for anyone who wants to level up their engineering maturity, avoid supply-chain surprises, understand what it really takes to keep dependencies updated sustainably.
This talk is a hands-on introduction to dependency security for early-career Python developers. Instead of abstract warnings about “supply-chain risk,” we focus on what engineers actually experience: installing common libraries, running into issues months later, and discovering that the problem was already known and fixed upstream.
We begin by exploring pip-audit, the official PyPA tool for identifying known vulnerabilities in your environment. Attendees will see how pip-audit consumes Python’s Security Advisory Database, how to use it both locally and in CI, and what its output really means. Real CI examples (based on GitLab pipelines) illustrate typical challenges: internal packages with no public advisories, vulnerabilities without available fixes, and strategies to keep the audit stage informative without constantly blocking deployments.
The second part highlights real CVEs from 2025 in widely used libraries. Instead of overwhelming the audience with a long list, we use several short case studies to show what actually went wrong and why these bugs matter. These examples help developers understand where vulnerabilities come from and why staying updated is not optional.
Finally, we outline what a sustainable dependency-maintenance workflow looks like in practice: automated update bots, safe CI validation, prioritizing security patches, and preventing dependency drift. The goal is to offer an approach that small teams and junior developers can adopt without heavy tools or bureaucracy.
By the end of the session, attendees will know how to use pip-audit effectively, recognize real-world risks in common Python packages, and keep their projects reliably up-to-date with minimal friction.
Kirill Tribunskii is a Python Development Lead focused on the architecture and development of reliable backend systems for ML-driven fintech services. His work centers on making large distributed systems maintainable, keeping CI/CD pipelines dependable, and treating everyday engineering discipline as the foundation for long-term project health. He enjoys attending meetups and conferences to connect with tech and security professionals, exchange ideas, and explore innovative approaches to development.