In Maven, we tested Parent POM inheritance and found that there is no native mechanism to enforce a strict dependency allow-list where:

• Child projects may use only dependencies defined in the Parent POM

• Any additional dependencies declared in child modules automatically fail validation/build

The closest approaches we found are:

• Maven Enforcer deny-list rules

• Custom Maven plugins

Do comparable ecosystems such as:

• .NET (NuGet/MSBuild)

• Node.js (npm/yarn/pnpm)

provide a native allow-list or centrally managed dependency enforcement mechanism that automatically rejects unapproved project-level dependencies?

If yes, what is the recommended enterprise approach?

The goal is enterprise dependency governance rather than just version alignment.