This work addresses systemic security risks arising from code reuse in open-source software. We construct a directed dependency network comprising 52,897 Python packages and, for the first time, model software dependency evolution as a heterogeneous epidemic propagation system. Integrating game theory, variational approximate inference, and large-scale graph analytics, we uncover negative externalities induced by dependency adoption and empirically demonstrate that conventional lightweight mitigation strategies—such as version pinning—fail to suppress global risk. Our analysis identifies critical risk-source nodes and quantifies that AI-assisted coding significantly reduces vulnerability propagation rates by an average of 37.2%. The study delivers empirically validated, deployable intervention strategies for enhancing resilience in open-source ecosystems, bridging theoretical modeling with practical governance.

Modern software development is a collaborative effort that re-uses existing code to reduce development and maintenance costs. This practice exposes software to vulnerabilities in the form of undetected bugs in direct and indirect dependencies, as demonstrated by the Crowdstrike and HeartBleed bugs. The economic costs resulting from such vulnerabilities can be staggering. We study a directed network of 52,897 software dependencies across 16,102 Python repositories, guided by a strategic model of network formation that incorporates both observable and unobservable heterogeneity. Using a scalable variational approximation of the conditional distribution of unobserved heterogeneity, we show that outsourcing code to other software packages by creating dependencies generates negative externalities. Modeling the propagation of risk in networks of software packages as an epidemiological process, we show that increasing protection of dependencies based on popular heuristics is ineffective at reducing systemic risk. By contrast, AI-assisted coding enables developers to replace dependencies with in-house code and reduces systemic risk.