nightshift: dependency-risk analysis — Microck/ancla
Repository: microck/ancla
Task: dependency-risk
Language: Swift (35+ Swift files, ~30KB source)
Severity: Low
Executive Summary
Ancla is an iOS screen-time/focus management app built with Swift/SwiftUI that uses Apple's Family Controls framework. The project has zero external dependencies — all imports are from Apple's SDK. This is excellent from a supply-chain security viewpoint.
Dependency Inventory
Package.swift (SPM)
- No external dependencies — only defines internal targets
Third-Party Imports (None Found)
All imports in the codebase are Apple system frameworks:
| Import |
Purpose |
| SwiftUI |
UI framework |
| UIKit |
UI framework |
| Foundation |
Base utilities |
| Observation |
iOS 17 observation |
| CoreNFC |
NFC APIs |
| CryptoKit |
Cryptographic utilities |
| UserNotifications |
Push notifications |
| FamilyControls |
Screen Time APIs |
| ManagedSettings |
Device restrictions |
| AppIntents |
Shortcuts integration |
| XCTest |
Unit testing |
Dependencies in project.yml
- No third-party dependencies
- Internal targets only (Ancla, AnclaLite, AnclaShieldExtension)
Findings
1. Zero External Dependencies (Positive — High)
The project is self-contained:
- No CocoaPods
- No Swift Package Manager dependencies
- No Carthage
- Only Apple system frameworks
Advantage: No supply-chain attacks via compromised packages. No dependency vulnerabilities.
2. Uses FamilyControls Framework (Noted)
The app uses Apple's Family Controls/Screen Time APIs:
FamilyControls — screen time permissionsManagedSettings — device restrictionsManagedSettingsUI — restriction UI
This requires special entitlements:
com.apple.developer.familycontrols — must be requested from Apple
Consideration: Account suspension risk if Apple revokes entitlements.
3. No Version Pins Needed (Positive)
Since there are no external dependencies, there's no:
- Version compatibility matrix
- Dependency update overhead
- Breaking change tracking
4. Self-Contained Fonts (Low — Note)
The project bundles Google Sans Flex fonts (4 weight variants):
fonts/google-sans-flex-400.ttffonts/google-sans-flex-500.ttffonts/google-sans-flex-600.ttffonts/google-sans-flex-700.ttf
Consideration: These are bundled in the app bundle, not loaded from network. Risk is nil.
5. iOS 17.0+ Required (Low — Note)
The app requires iOS 17.0+. This is current (as of April 2025), covering ~90% of iOS devices.
Positive Findings
- ✅ Zero external dependencies
- ✅ No known vulnerable dependencies
- ✅ No transitive dependency risk
- ✅ Self-contained font assets
- ✅ Uses stable Apple APIs
Risks
1. Apple Entitlement Revocation (Low)
If Apple revokes the FamilyControls entitlement, the app stops working. This is outside dependency management scope but worth noting.
2. Deprecated API Risk (Very Low)
Apple could deprecate FamilyControls APIs. But deprecated APIs typically have years of notice.
Recommendations
-
No changes needed — The dependency profile is excellent.
-
Add dependency tracking for future: If you ever add dependencies, consider:
- Use Dependabot or Similar
- Pin versions
- Audit for CVEs regularly
-
Monitor FamilyControls changes: Keep up with iOS release notes for API changes.
Conclusion
Ancla has an A+ dependency profile: zero third-party dependencies, only Apple system frameworks, self-contained assets. The main risks are from Entitlement/API changes from Apple, not from dependency vulnerabilities.
Analysis by nightshift v3 — automated code quality bot
nightshift: dependency-risk analysis — Microck/ancla
Repository: microck/ancla
Task: dependency-risk
Language: Swift (35+ Swift files, ~30KB source)
Severity: Low
Executive Summary
Ancla is an iOS screen-time/focus management app built with Swift/SwiftUI that uses Apple's Family Controls framework. The project has zero external dependencies — all imports are from Apple's SDK. This is excellent from a supply-chain security viewpoint.
Dependency Inventory
Package.swift (SPM)
Third-Party Imports (None Found)
All imports in the codebase are Apple system frameworks:
Dependencies in project.yml
Findings
1. Zero External Dependencies (Positive — High)
The project is self-contained:
Advantage: No supply-chain attacks via compromised packages. No dependency vulnerabilities.
2. Uses FamilyControls Framework (Noted)
The app uses Apple's Family Controls/Screen Time APIs:
FamilyControls— screen time permissionsManagedSettings— device restrictionsManagedSettingsUI— restriction UIThis requires special entitlements:
com.apple.developer.familycontrols— must be requested from AppleConsideration: Account suspension risk if Apple revokes entitlements.
3. No Version Pins Needed (Positive)
Since there are no external dependencies, there's no:
4. Self-Contained Fonts (Low — Note)
The project bundles Google Sans Flex fonts (4 weight variants):
fonts/google-sans-flex-400.ttffonts/google-sans-flex-500.ttffonts/google-sans-flex-600.ttffonts/google-sans-flex-700.ttfConsideration: These are bundled in the app bundle, not loaded from network. Risk is nil.
5. iOS 17.0+ Required (Low — Note)
The app requires iOS 17.0+. This is current (as of April 2025), covering ~90% of iOS devices.
Positive Findings
Risks
1. Apple Entitlement Revocation (Low)
If Apple revokes the FamilyControls entitlement, the app stops working. This is outside dependency management scope but worth noting.
2. Deprecated API Risk (Very Low)
Apple could deprecate FamilyControls APIs. But deprecated APIs typically have years of notice.
Recommendations
No changes needed — The dependency profile is excellent.
Add dependency tracking for future: If you ever add dependencies, consider:
Monitor FamilyControls changes: Keep up with iOS release notes for API changes.
Conclusion
Ancla has an A+ dependency profile: zero third-party dependencies, only Apple system frameworks, self-contained assets. The main risks are from Entitlement/API changes from Apple, not from dependency vulnerabilities.
Analysis by nightshift v3 — automated code quality bot