Sync open source content 🐝 (from 2d4738909e56adc65f4591e3b512c367464ae60a)

beezythebot · beezythebot · commit 82624d37f631 · 2025-12-02T19:15:03.000Z
diff --git a/_meta.global.tsx b/_meta.global.tsx
@@ -591,6 +591,9 @@ const meta = {
                   "standalone-functions": {
                     title: "Standalone functions",
                   },
+                  "dependency-management": {
+                    title: "Dependency management",
+                  },
                 },
               },
               python: {
diff --git a/docs/sdks/languages/typescript/dependency-management.mdx b/docs/sdks/languages/typescript/dependency-management.mdx
@@ -0,0 +1,25 @@
+---
+title: "TypeScript dependency management"
+description: "Learn how to manage dependencies in Speakeasy-generated TypeScript SDKs to ensure security and stability."
+---
+
+# TypeScript dependency management
+
+Generated TypeScript SDKs include dependencies that require ongoing maintenance to ensure security and stability.
+
+## Set up automated dependency scanning
+
+We strongly recommend configuring a dependency scanning tool on your SDK repository. If your organization already uses a scanning tool, configure it for your SDK repository as well. Popular options include [Dependabot](https://docs.github.com/en/code-security/dependabot) (GitHub native), [Snyk](https://snyk.io/), and [Semgrep](https://semgrep.dev/). These tools automatically monitor your dependencies and create pull requests when updates are available.
+
+## Keep dependencies updated
+
+For TypeScript SDKs, lock files like `package-lock.json` freeze dependency versions at SDK generation time. To refresh to the latest secure versions:
+
+```bash
+rm -rf package-lock.json && rm -rf node_modules
+npm install
+```
+
+## Adopt dependency cooldowns
+
+Consider implementing a dependency cooldown strategy where you wait a period (for example, 7-14 days) before adopting newly-published package versions. This practice helps protect against supply chain attacks. Recent incidents have shown that compromised packages are often caught and removed within the first few days of publication. A cooldown period allows the community to vet new releases before they enter your codebase.
