Dependency graph vs. software supply chain

The human brain is just amazing when it comes to making sense of words. Still, it helps to be precise about terms, because it reduces confusion and improves understanding. One such terminology confusion in open source is between the concepts of dependency graph and software supply chain.

A dependency graph is a set of components (those that your program code depends on, hence “your dependencies”) and their connections (the way these components rely on each other). If you view components as nodes and their relationships as edges, you get the dependency graph.

A software supply chain is the chain of suppliers that provide and pass on a component to their clients which then become suppliers to their own clients. In open source, the original supplier is usually a code repository in some version control system (e.g. Apache’s svn), and its client is a public component repository that hosts binary versions of the software (e.g. the Maven Central repository). After review and approval, a company may pull a component from Maven Central (now a supplier) into their own component management system (the client). This sequence of steps, or chain, constitute the supply chain for one component.

The dependency graph is a static artifact and does not say anything about where you get the components from, the supply chains do. The individual supply chains for each component, logically tied together by the dependency graph, form the total supply chain for your project or product.