How do I add a third-party dependency safely?
Pin the version, verify what you pull (a lockfile and integrity checking), avoid running remote install scripts, and prefer your vetted registry or mirror. NIS 2 (Art. 21(2)(d)) treats your dependencies as part of supply-chain security, and the controls on them live in your manifest and build.
Pin and lock
Add the dependency at a specific version and commit the lockfile, so the exact artifact is reproducible and a future, unverified version cannot be pulled in silently.
Verify, do not pipe a script to a shell
Install from your package registry with integrity checking on, rather than fetching and running a remote script at build time. A piped install runs whatever is at that URL today, unverified, with the build's privileges.
Prefer the vetted source
Pull from your internal mirror or an allowlisted registry, where the controls on packages apply, instead of going straight to upstream.
- RUN curl -fsSL https://get.example-tool.dev/install.sh | bash+ RUN pip install example-tool==2.4.1COPY . /appA pinned install from your registry replaces running an unverified remote script at build time. Commit the lockfile too, so transitive dependencies are pinned and integrity-checked, not just this top-level one.