Hidden dependencies within modern software systems are posing unseen risks, according to a recent report. A study by Endor Labs found that conducting function-level analysis can significantly reduce the number of unnecessary vulnerability fixes by up to 90%. The report also highlights how delays in advisories can leave systems vulnerable to potential exploitations. As organizations increasingly rely on third-party components and open source libraries to expedite development processes, addressing the security risks associated with these dependencies has become a top priority. The 2024 Dependency Management Report by Endor Labs delves into the challenges of managing software dependencies and vulnerabilities across various programming languages, revealing that less than 9.5% of vulnerabilities in 2024 were classified as ‘real threats’. The study emphasizes the complexity of managing dependencies, including first-party code libraries, operational dependencies, and vulnerabilities in third-party components. The use of third-party components, while beneficial for speeding up development cycles, also introduces unique security challenges due to vulnerabilities in external libraries. The report sheds light on the prevalence of “phantom dependencies” and the inadequacies in current vulnerability management platforms that lead to delayed advisories and a lack of code-level details. Endor recommends focusing on reachable and exploitable vulnerabilities, as only a small percentage of dependencies vulnerabilities are exploitable at the function level. By utilizing reachability analysis to pinpoint vulnerable functions that are called by the application’s code, organizations can streamline their remediation efforts and reduce noise in vulnerability reporting by nearly 90%.