The dependency graphs of modern applications greatly demonstrate how we build software today – we focus on our unique innovation and deal with common challenges by leveraging existing solutions. Though that’s a fine software development approach, each third-party component we use drags along dependencies that drag along their dependencies, and we end up with tons of known and unknown dependencies which could get us into legal and security trouble. To identify and mitigate risks, we need increased knowledge of all software assets, choosing dependency wisely, tacking changes, and timely updating them. In this talk we are going to explore the legal and security dependency management challenges and argue that risk management planning is better than crisis management.