Dependency Tracking Is Hard
daniel.haxx.seGitHub lists one dependent repo for curl and that too is a mistake.
it’s cache-invalidation in different clothes, it will always be a pain in the tucus
Dependency tracking for security is like any other security work: the purpose is to create the perception of security, not actual security. You can sell the perception of security. You can't sell actual security. That's why every other corporation has a WAF now that doesn't block attacks but does block legitimate traffic, and how Cloudflare managed to create the world's biggest MITM without a single crime.