Xoxoday: Third-party Library Support During Major Changes - Xoxoday

Xoxoday verifies the support status of all third-party libraries and dependencies as a mandatory step in its change management and release approval process for every major system change.

Xoxoday maintains a structured Dependency and Library Management Program that ensures every third-party library and open-source component in its platform remains supported, secure, and compatible across major releases. This program is not a periodic audit — it is embedded directly into the engineering workflow so that dependency health is validated continuously, not retrospectively. Automated Scanning on Every Build Xoxoday integrates automated dependency scanning into its CI/CD pipeline using tools such as OWASP Dependency-Check, npm audit, and Snyk. These tools scan the codebase for outdated, deprecated, or vulnerable libraries before any build is approved for deployment. Any component flagged as unsupported or carrying a high CVSS risk score is blocked from progressing unless it undergoes an explicit engineering review and formal approval. Version-Controlled Dependency Tracking All third-party libraries are managed through package managers such as npm, pip, and Maven, with dependencies tracked in version-controlled manifests including package.json and requirements.txt. Every dependency state is fully auditable and reproducible across environments. When a major change is initiated, the engineering team cross-references these manifests against current vendor support timelines to confirm continued availability before the release proceeds. Change Impact Assessment Xoxoday’s RFC and change approval process includes a formal compatibility assessment for all existing libraries. Major upgrades trigger a manual engineering review that evaluates compatibility, active vendor support, and downstream integration risk. For organisations that connect Xoxoday with HRIS platforms such as SAP SuccessFactors, Workday, or Darwinbox, this assessment confirms that platform changes will not disrupt data flows or break existing connectors. Prioritised Patch Management Security patches and component updates are prioritised based on CVSS score, the criticality of the component to core application function, and its active support status. Critical patches are fast-tracked through the approval process, while lower-severity updates are batched into scheduled maintenance cycles. This structured approach directly supports Xoxoday’s compliance with ISO 27001 and SOC 2 Type II, both of which require disciplined management of third-party software components. Audit-Ready Documentation Every dependency change is logged in change control records and version histories. These records capture approvals, scan results, and engineering sign-offs, and are retained for internal and external security assessments. Compliance teams can request the complete dependency audit trail at any point during a review cycle. This end-to-end process ensures that Xoxoday’s platform remains stable, secure, and free from unsupported components throughout its entire release lifecycle. Learn more: Xoxoday Help Centre — Technical requirement

How does Xoxoday manage vulnerability detection and remediation?

Learn how Xoxoday identifies, prioritises, and remediates security vulnerabilities across its platform using CVSS scoring and structured patch workflows.

What security controls are embedded in Xoxoday's CI/CD pipeline?

Understand how Xoxoday enforces security gates, automated scans, and approval workflows at every stage of its software delivery pipeline.