All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.
The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere. The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.12) Verify that each firmware maintains a software bill of materials cataloging third-party components, versioning, and published vulnerabilities.
OWASP-ASVS v4.0.1 V14.1 Build.(14.1.4) Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion.
OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.1) Verify that all components are up to date, preferably using a dependency checker during build or compile time.
OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.5) Verify that an inventory catalog is maintained of all third party libraries in use.
PCI DSS v3.2.1 - Requirement 2.3 Maintain an inventory of system components that are in scope for PCI DSS.