Dependency Management in Azure DevOps
Every software project has two kinds of dependencies: the packages it imports, and the teams or systems it relies on to deliver. Both kinds cause project delays and production incidents when they are not managed deliberately. Azure DevOps provides a tool for each: Azure Artifacts for package dependencies, and Delivery Plans for cross-team work dependencies.
Neither is magic. Packages without version controls create breaking changes. Cross-team dependencies without visibility create surprise blockers at sprint end. The tools help, but the discipline matters more.
Azure Artifacts: managing package dependencies
Azure Artifacts is a package management service integrated with Azure DevOps. It provides private feeds for NuGet, npm, Maven, Python, and Universal packages. Instead of pulling dependencies directly from public registries (NuGet.org, npm, PyPI) in production builds, your pipeline pulls from an Artifacts feed that you control.
Why a private feed matters:
Public packages can be removed, modified, or compromised. An npm package deleted by its author breaks every build that depends on it. Supply chain attacks (typosquatting, dependency confusion) introduce malicious code via packages with names similar to internal ones. A private feed where packages are curated and scanned before being made available removes both risks.
The simplest pattern: create an Artifacts feed with an upstream source pointing to NuGet.org or npm. When your pipeline requests a package, Artifacts checks its cache first, then fetches from upstream and caches it. Packages cached in your feed are available even if the upstream source is removed. Scanning (via built-in vulnerability detection or integration with a third-party scanner) can run before packages are made available.
Creating a feed:
In Azure DevOps, navigate to Artifacts > Create Feed. Choose a name (e.g., company-packages), set visibility (organisation or project scope), and configure upstream sources to include the public registries your projects use.
For organisations wanting stricter control, use a quarantine pattern: an ingestion feed where new packages land and a curated feed where approved packages are published. Automated policy (vulnerability scan pass, licence approval) gates promotion from ingestion to production feed.
Semantic versioning for internal packages:
Packages your team publishes to internal feeds should follow semantic versioning (MAJOR.MINOR.PATCH). Breaking changes increment MAJOR. New backward-compatible features increment MINOR. Bug fixes increment PATCH. Consumers of your package can express version constraints (e.g., >=1.2.0 <2.0.0) and get new features and fixes without being forced onto breaking changes.
Without semantic versioning, every package update is a potential breaking change and consumers either pin to an exact version (missing security fixes) or take every version (risking unexpected breakage).
Retention policies:
Package feeds accumulate old versions. Set retention policies to keep the N most recent versions per package and delete older ones. This controls storage costs and reduces the chance of a pipeline accidentally using an outdated version because it was cached locally.
Delivery Plans: managing cross-team work dependencies
Delivery Plans in Azure DevOps provides a calendar view of work items across multiple teams and backlogs. Where a standard sprint board shows one team's sprint, a Delivery Plan shows multiple teams' iterations on a shared timeline, with dependency links between work items.
Where this matters:
Teams A and B are both building features that depend on a shared API team's work. Without visibility, both teams discover at sprint end that the API work was not completed and their features cannot be demonstrated or released. A Delivery Plan showing all three teams' iterations makes the dependency explicit during sprint planning, not at sprint review.
Creating a Delivery Plan:
In Azure DevOps, navigate to Boards > Delivery Plans > New Plan. Add the teams and backlogs you want to view. Teams can be from different projects within the same organisation. The plan displays iterations side by side on a shared calendar.
Add dependency links between work items using the "Predecessor" relationship. In the Delivery Plan view, dependent items are connected by arrows. Items where a dependency is scheduled after the work that needs it appear as a warning: the item is blocked. This visual makes scheduling conflicts obvious before they become missed commitments.
Iteration-level dependency review in planning:
Use Delivery Plans in sprint planning sessions involving multiple teams. For each dependency, the planning discussion covers: Is the dependency's work scheduled in time? If not, does the dependent item move to a later sprint, or does the dependency work get prioritised? This conversation is much easier when all teams are looking at the same timeline.
Tracking during a sprint:
Update work item status during the sprint. Delivery Plans reflects status changes in real time. A dependency item that moves to blocked or slips its completion date highlights the downstream impact immediately across all dependent teams.
Automating dependency monitoring in pipelines
Beyond feed management and planning tools, embed dependency checks into your CI/CD pipelines:
SBOM generation: Generate a Software Bill of Materials on every build. Azure DevOps supports SBOM generation via the Microsoft SBOM Tool task. The SBOM records every dependency with its version and licence, creating an auditable record of what your software contains.
Vulnerability scanning: Use Microsoft Defender for DevOps (preview) or a third-party scanner (Snyk, Dependabot, Mend) integrated with Azure Pipelines. Set pipeline gates that fail the build if critical vulnerabilities are found in dependencies, and alert for high-severity findings.
Licence compliance: Flag packages with licences incompatible with your distribution model (GPL in commercial software, for example). This is best implemented as a pipeline gate that queries the package metadata and fails if a disallowed licence is introduced.
Version drift alerts: A pipeline task that compares your locked dependency file (packages.lock.json, package-lock.json) against the latest available versions and reports how far behind each dependency is. Not every outdated dependency needs immediate action, but knowing you are three major versions behind on a security-relevant library is worth knowing.
Where Critical Cloud comes in
Dependency management hygiene prevents the class of production incidents where a supply chain compromise, a transient package unavailability, or a cross-team scheduling conflict quietly breaks something in production. We build and operate Azure DevOps delivery pipelines for technology-led businesses, with Artifacts, automated scanning, and SBOM generation integrated into the CI/CD workflow from the start. If your delivery pipeline is carrying dependency risks you cannot see, see how Critical Support works.