This study investigates the causal impact of SECURITY.md security policy files on the structure and evolution of software dependency chains within the PyPI ecosystem. Using a longitudinal dataset of 1,248 open-source projects, we construct temporal dependency trees and apply a quasi-experimental design combining difference-in-differences and propensity score matching to compare dependency management behaviors between projects with and without SECURITY.md. Results show that adopting SECURITY.md significantly enhances modularity: direct dependency count increases by 23.6%, and dependency update frequency rises by 31.4%, while transitive dependency depth remains unchanged. Late adopters exhibit stronger proactive dependency governance. This work provides the first empirical evidence that SECURITY.md is not merely a risk disclosure instrument but a key governance mechanism that strengthens software supply chain resilience—offering data-driven insights for evidence-based software supply chain security policy design.

Security policies, such as SECURITY.md files, are now common in open-source projects. They help guide responsible vulnerability reporting and build trust among users and contributors. Despite their growing use, it is still unclear how these policies influence the structure and evolution of software dependencies. Software dependencies are external packages or libraries that a project relies on, and their interconnected nature affects both functionality and security. This study explores the relationship between security policies and dependency management in PyPI projects. We analyzed projects with and without a SECURITY.md file by examining their dependency trees and tracking how dependencies change over time. The analysis shows that projects with a security policy tend to rely on a broader set of direct dependencies, while overall depth and transitive dependencies remain similar. Historically, projects created after the introduction of SECURITY.md, particularly later adopters, show more frequent dependency updates. These results suggest that security policies are linked to more modular and feature-rich projects, and highlight the role of SECURITY.md in promoting proactive dependency management and reducing risks in the software supply chain.