chore(telemetry): add dependency tracker for SCA telemetry reporting

[avara1986]

Summary

This PR extracts the telemetry dependency tracking changes from the larger SCA PR (#17156) to reduce its size and make review more manageable.

• Introduces DependencyTracker to manage dependency state, deduplication, and re-reporting logic for SCA telemetry
• Refactors dependency collection out of the telemetry writer into a dedicated module
• Updates the benchmark scenario for packages_update_imported_dependencies
• Adds comprehensive tests for the new dependency tracker and updated dependency logic

Parent PR: #17156 — feat(sca): runtime SCA reachability

Test plan

• Existing telemetry tests pass
• New tests/telemetry/test_dependency.py tests pass
• tests/telemetry/test_data.py tests pass
• Benchmark scenario runs without errors

Checklist

• PR description/title adhere to contributing guidelines
• Tests provided or no tests needed

🤖 Generated with Claude Code

[cit-pr-commenter-54b7da]

Codeowners resolved as

benchmarks/packages_update_imported_dependencies/scenario.py            @DataDog/apm-core-python
ddtrace/internal/telemetry/data.py                                      @DataDog/apm-python
ddtrace/internal/telemetry/dependency.py                                @DataDog/apm-python
ddtrace/internal/telemetry/dependency_tracker.py                        @DataDog/apm-python
ddtrace/internal/telemetry/writer.py                                    @DataDog/apm-python
tests/appsec/architectures/mini.py                                      @DataDog/asm-python
tests/telemetry/test_data.py                                            @DataDog/apm-python
tests/telemetry/test_dependency.py                                      @DataDog/apm-python

[pr-commenter]

Performance SLOs

Comparing candidate avara1986/sca-telemetry-dependency-tracker (1f6aabc) with baseline main (240631e)

🟡 Near SLO Breach (1 suite)

🟡 packagesupdateimporteddependencies - 24/24 (1 unstable)

✅ import_many

Time: ✅ 155.941µs (SLO: <170.000µs -8.3%) vs baseline: -0.3%

Memory: ✅ 41.093MB (SLO: <46.000MB 📉 -10.7%) vs baseline: +6.0%

---

✅ import_many_cached

Time: ✅ 123.076µs (SLO: <130.000µs -5.3%) vs baseline: +1.1%

Memory: ✅ 40.634MB (SLO: <46.000MB 📉 -11.7%) vs baseline: +4.1%

---

✅ import_many_stdlib

Time: ✅ 1.254ms (SLO: <1.750ms 📉 -28.3%) vs baseline: +0.3%

Memory: ✅ 41.113MB (SLO: <46.000MB 📉 -10.6%) vs baseline: +5.0%

---

⚠️ import_many_stdlib_cached

Time: ⚠️ 0.621ms (SLO: <1.100ms 📉 -43.5%) vs baseline: -0.4%

Memory: ✅ 41.172MB (SLO: <46.000MB 📉 -10.5%) vs baseline: +5.7%

---

✅ import_many_unknown

Time: ✅ 840.387µs (SLO: <890.000µs -5.6%) vs baseline: +0.8%

Memory: ✅ 40.871MB (SLO: <46.000MB 📉 -11.2%) vs baseline: +4.0%

---

✅ import_many_unknown_cached

Time: ✅ 796.844µs (SLO: <870.000µs -8.4%) vs baseline: -0.3%

Memory: ✅ 40.812MB (SLO: <46.000MB 📉 -11.3%) vs baseline: +3.5%

---

✅ import_one

Time: ✅ 21.043µs (SLO: <30.000µs 📉 -29.9%) vs baseline: -0.2%

Memory: ✅ 40.920MB (SLO: <46.000MB 📉 -11.0%) vs baseline: +5.0%

---

✅ import_one_cache

Time: ✅ 7.346µs (SLO: <10.000µs 📉 -26.5%) vs baseline: +1.2%

Memory: ✅ 41.003MB (SLO: <46.000MB 📉 -10.9%) vs baseline: +5.0%

---

✅ import_one_stdlib

Time: ✅ 19.951µs (SLO: <20.000µs 🟡 -0.2%) vs baseline: +0.8%

Memory: ✅ 41.060MB (SLO: <46.000MB 📉 -10.7%) vs baseline: +5.3%

---

✅ import_one_stdlib_cache

Time: ✅ 7.339µs (SLO: <10.000µs 📉 -26.6%) vs baseline: +0.1%

Memory: ✅ 40.713MB (SLO: <46.000MB 📉 -11.5%) vs baseline: +4.6%

---

✅ import_one_unknown

Time: ✅ 46.794µs (SLO: <50.000µs -6.4%) vs baseline: +0.1%

Memory: ✅ 41.195MB (SLO: <46.000MB 📉 -10.4%) vs baseline: +6.2%

---

✅ import_one_unknown_cache

Time: ✅ 7.322µs (SLO: <10.000µs 📉 -26.8%) vs baseline: -0.3%

Memory: ✅ 40.633MB (SLO: <43.000MB -5.5%) vs baseline: +4.3%

[avara1986]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[avara1986]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f6aabcdf3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[avara1986]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-14 17:18:38 UTC ℹ️ Start processing command /merge

---

2026-04-14 17:18:43 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 51m (p90).

---

2026-04-14 17:52:45 UTC ℹ️ MergeQueue: This merge request was merged