{"id":24491,"date":"2026-06-25T09:05:00","date_gmt":"2026-06-25T16:05:00","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=24491"},"modified":"2026-06-24T16:49:57","modified_gmt":"2026-06-24T23:49:57","slug":"taming-our-python-dependencies-at-microsoft-with-ai","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/taming-our-python-dependencies-at-microsoft-with-ai\/","title":{"rendered":"Taming our Python dependencies at Microsoft with AI"},"content":{"rendered":"\n

At Microsoft, Python has long been one of our most popular programming languages. Our developers use it for building production systems, internal tools, automation workflows, and more. We estimate that at least 67,000 employees use it every day.<\/p>\n\n\n\n

At that scale, Python dependencies have emerged as a significant source of risk for us\u2014representing the third-largest vulnerability surface across the company.<\/p>\n\n\n\n

The good news is that we have strong visibility into these vulnerabilities, with tools that continuously detect and surface risks across our codebases. The bad news is that turning those insights into action required a complex remediation process.<\/p>\n\n\n\n

Updating a single code package often caused changes across multiple interdependent libraries. This required coordinated updates, validation, and testing to maintain system stability.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cWhen AI arrived, I saw it as a great opportunity to finally fix a very complex problem we had: The level of entanglement involved in Python code dependencies. A simple script wasn\u2019t going to resolve it\u2014you needed the power of AI.\u201d<\/p>\nHumberto Arias, senior product manager, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

Multiply this by thousands of projects throughout our enterprise, and vulnerabilities accumulated much faster than we could resolve them. To address this challenge, we turned to AI.<\/p>\n\n\n\n

Microsoft Digital\u2014the company\u2019s IT organization\u2014has developed an AI-powered solution called Python Dependency Remediation. Designed to work directly within the developer workflow, this solution analyzes dependency chains, applies required updates, and automatically adjusts the code. This enables our engineers to remediate vulnerabilities quickly and consistently at enterprise scale.<\/p>\n\n\n\n

\u201cI\u2019ve worked for years in the vulnerability management space at Microsoft,\u201d says Humberto Arias, a senior product manager in Microsoft Digital. \u201cWhen AI arrived, I saw it as a great opportunity to finally fix a very complex problem we had: The level of entanglement involved in Python code dependencies. A simple script wasn\u2019t going to resolve it\u2014you needed the power of AI.\u201d<\/p>\n\n\n\n

The tool has shown so much promise that we have begun releasing it externally, so that millions of Python developers around the world can take advantage of it.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cI used to have this problem all the time. I upgrade one library, and then I\u2019ve got to upgrade 17 other things, and something else breaks, and now my code is completely different.\u201d<\/p>\nRich Chiodo, principal software engineer, Python and Tools for AI<\/cite><\/blockquote>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div>\n\n\n\n
\n

Get started<\/strong><\/strong><\/p>\n\n\n\n

Try using the Python Dependency Remediation tool<\/a><\/p>\n<\/div>\n<\/div>\n\n\n\n

Flexibility leads to dependencies and risk<\/h2>\n\n\n\n

Python is a very flexible language, which is why it\u2019s so popular among software developers. But that same flexible nature\u2014it can be used across a wide range of scenarios\u2014also means it forms deeply interconnected dependency chains. When one code library is updated, it can trigger changes across many others.<\/p>\n\n\n\n

\u201cI used to have this problem all the time,\u201d says Rich Chiodo, a principal software engineer on the team responsible for Python Tools and AI. \u201cI upgrade one library, and then I\u2019ve got to upgrade 17 other things, and something else breaks, and now my code is completely different.\u201d<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cDevelopers avoid the upgrades because the dependency web is so complex. This means the vulnerabilities accumulate over time and can become a real security risk.\u201d<\/p>\nChintan Sheth, principal engineering manager, Viva Glint<\/cite><\/blockquote>\n\n\n\n

Because the code is so interdependent and remediation is time-consuming, many developers skip updating their code packages, which can lead to security vulnerabilities.<\/p>\n\n\n\n

Security compliance was often seen as a burden because it slows people down.<\/p>\n\n\n\n

\u201cDevelopers avoid the upgrades because the dependency web is so complex,\u201d says Chintan Sheth, a principal engineering manager on the Viva Glint product team. \u201cThis means the vulnerabilities accumulate over time and can become a real security risk.\u201d<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cAfter my manager mentioned it, I reviewed the idea on the hackathon page, and it looked really interesting to me. So I jumped in, and we created a prototype and a demo video with a quick solution. That\u2019s how it started.\u201d<\/p>\nShiva Krishna Gollapelly, senior software engineer, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

Hacking our way to a solution<\/h2>\n\n\n\n

Like some of the best internally developed tools and processes, Python Dependency Remediation came out of a Microsoft hackathon project. These grassroots events allow our engineers to tackle interesting technical challenges in a collaborative, creative way.<\/p>\n\n\n\n

\u201cAfter my manager mentioned it, I reviewed the idea on the hackathon page, and it looked really interesting to me,\u201d says Shiva Krishna Gollapelly, a senior software engineer in Microsoft Digital and the lead developer on the project. \u201cSo I jumped in, and we created a prototype and a demo video with a quick solution. That\u2019s how it started.\u201d<\/p>\n\n\n\n

The fact that this solution came from a hackathon highlights the ideas-driven culture that we promote at the company.<\/p>\n\n\n\n

\u201cThis really speaks to our special culture of innovation,\u201d says Snigdha Bora, a principal group engineering manager for Employee Experience. \u201cAfter this emerged from the hackathon, our developers realized it could solve a problem at scale\u2014that it was worth taking through the full development cycle so we can release it for all of Microsoft, and maybe beyond.\u201d<\/p>\n\n\n\n

Solving the issue with one click (and AI)<\/h2>\n\n\n\n

Because the challenge was not detecting vulnerabilities but fixing them, we had to rethink how we addressed Python dependencies.<\/p>\n\n\n\n

\n

\u201cThe extension automatically finds the right updates and then fixes the vulnerabilities, so developers don\u2019t need to do the research, the manual upgrades and fixes, run test cases, debugging\u2014all those things that used to take so much time. With our solution, it\u2019s just one button click and it does all of that automatically.\u201d<\/p>\nShiva Krishna Gollapelly, senior software engineer, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

In the past, when engineers received a vulnerability notification, they would have to step outside their development workflow and address the issue. What was needed was a solution that could be enacted within their normal workflow\u2014integrating remediation directly into the tools they were already using.<\/p>\n\n\n\n

So, we created the Python Dependency Remediation extension for Visual Studio Code, a common Python development environment. Once installed, engineers can address vulnerabilities in the flow of their work.<\/p>\n\n\n\n

\"A
The Python Dependency Remediation extension automatically detects vulnerabilities and then allows developers to fix them and update their code, right in the flow of their work.<\/figcaption><\/figure>\n\n\n\n

\u201cThe extension automatically finds the right updates and then fixes the vulnerabilities, so developers don\u2019t need to do the research, the manual upgrades and fixes, run test cases, debugging\u2014all those things that used to take so much time,\u201d Gollapelly says. \u201cWith our solution, it\u2019s just one button click and it does all of that automatically, with the help of AI.\u201d<\/p>\n\n\n\n

The extension uses the APIs built into Visual Studio Code to connect with any AI model the user has access to. (If there is no AI model available, Gollapelly explains, the extension will still make the package updates but won\u2019t do the remediation fixes to the code.) It also produces a report of the changes for the developer to review in case there\u2019s a snag that needs troubleshooting.<\/p>\n\n\n\n

\u201cThis tool removes a significant burden from our developers,\u201d Bora says. \u201cWe are shifting the entire remediation process left, embedding it early in the development workflow. Developers can review the changes and move forward immediately, making the whole process more efficient.\u201d<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cWe\u2019ve upgraded the library with new methods, calls, and structures. Now, let\u2019s make sure everything works, check for errors in the code, etc. That\u2019s the gap we\u2019re bridging with AI.\u201d<\/p>\nAngel Saldivia, software engineer, SharePoint<\/cite><\/blockquote>\n\n\n\n

The result is that fixes and upgrades that used to take multiple hours of developer time now take minutes, and the code is much more reliable.<\/p>\n\n\n\n

What the agent does in this solution is help close that loop, something that the engineer used to have to do.<\/p>\n\n\n\n

\u201cWe\u2019ve upgraded the library with new methods, calls, and structures,\u201d says Angel Saldivia, a software engineer on the SharePoint product team. \u201cNow, let\u2019s make sure everything works, check for errors in the code, etc. That\u2019s the gap we\u2019re bridging with AI.\u201d<\/p>\n\n\n\n

From Customer Zero to global impact<\/h2>\n\n\n\n

One of the powerful things about working at Microsoft is that you get to help develop technology tools that can change the world. This is the case with Python Dependency Remediation as well.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cWe realized this technology had much broader value. There are hundreds of millions of Python users worldwide, so the impact could be massive.\u201d<\/p>\nSnigdha Bora, principal group engineering manager, Employee Experience<\/cite><\/blockquote>\n\n\n\n

As Bora explains, while the solution was being developed it was presented to Guido van Rossum, the creator of Python (and a Microsoft employee). He immediately saw the incredible potential of the concept.<\/p>\n\n\n\n

\u201cHe suggested that we could take this solution to the world, not just to Microsoft,\u201d Bora says. \u201cWe realized this technology had much broader value. There are millions of Python users, so the impact could be massive.\u201d<\/p>\n\n\n\n

To help make this happen, Microsoft Digital approached Graham Wheeler, a principal group engineering manager on the Python and Tools for AI team. Wheeler\u2019s team is responsible for shipping Pylance, a development extension for Visual Studio Code used by more than 180 million developers worldwide.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cOne of the things we could do was provide a jumping-off point for this extension, so that when users installed Pylance they\u2019d be prompted to also download Python Dependency Remediation. It can help raise awareness, because many users don\u2019t actually do the dependency scanning and updating that they should.\u201d<\/p>\nGraham Wheeler, principal group engineering manager, Python and Tools for AI<\/cite><\/blockquote>\n\n\n\n

Wheeler and his team are in the process of incorporating the Python Dependency Remediation extension as an option during Pylance installation. This will open up a convenient vector for getting the tool in front of a huge audience, potentially revolutionizing Python development.<\/p>\n\n\n\n

\u201cOne of the things we could do was provide a jumping-off point for this extension, so that when users installed Pylance they\u2019d be prompted to also download Python Dependency Remediation,\u201d Wheeler says. \u201cIt can help raise awareness, because so many users don\u2019t actually do the dependency scanning and updates that they should. So, we\u2019re helping with that challenge.\u201d<\/p>\n\n\n\n

Beyond Python, the AI-powered technology behind this extension might be applied to other dependency challenges as well. What started as a simple hackathon project could have huge ramifications for the future of software development.<\/p>\n\n\n\n

\u201cThis solution can easily be adapted to other libraries, other programming languages,\u201d Gollapelly says. \u201cWhether you\u2019re talking about C#, Angular, React, or another language, the concept is the same. The implications are vast.\u201d<\/p>\n\n\n\n

\n

Key takeaways<\/h3>\n\n\n\n

Here are some points to keep in mind if you are thinking about tackling this kind of code-dependency issue at your organization:<\/p>\n\n\n\n