With the current package system (RPM or Deb), there is usually only one major version of each library and program installed. All libraries should use Semantic Versioning, so new minor versions can easily be installed without breaking anything. If there is a security issue, the library is fixed and all dependent code directly benefits from the patch.
Now with Flatpak I see that people will just bundle everything, perhaps because they have slightly modified the upstream library. If there is a security update, all upstream developers need to update the library. Even with the “runtime” concept, an app could still depend on an outdated version of the library.
To me, dependency hell only comes from a lack of API stability discipline. If the libraries would properly keep their APIs stable or issue a new major release, it would all be just fine. In the Ruby and Python world I often see that there are lists of requirements with exact version numbers. All that is installed into a virtual environment and will never be updated once the software is deployed.
How is Flatpak going to prevent the proliferation of convenience copies of libraries with security issues?
Best Answer
At least for the basic libraries like OpenSSL and so on they have the concept of runtimes. These are e.g. GNOME, KDE, etc. And these can be upgraded, even if the flatpak itself was build with an earlier version of the runtime.
Other than that, however, the other libraries in the flatpaks need to be maintained. Obviously here the author of the application should maintain that, otherwise the main application is likely also not maintained, so you may have this problem for the main application too.