A quick tour of Drupal core's PHP and JavaScript dependencies

Drupal 8 and 9 depend on numerous external PHP and JavaScript packages. These dependencies help improve Drupal's code quality, maintainability, and sustainability, but using them comes at a cost:

1. Our dependencies' release cycles determine the major release schedule for Drupal 9 and above. We now must release new major versions and end-of-life previous versions more frequently that we otherwise might. Dependencies can also cause disruptive Drupal minor or patch updates.

2. Nearly a third of core security releases involve a vulnerability in an upstream dependency. This means that core automatic updates will need to handle updates to these dependencies to be effective.

This session will provide an overview of the specific dependencies Drupal core has: what they're for, how they're managed, how they've evolved over time, and how they impact Drupal core updates.