Dependent objects are supposed to impose a partial ordering between Todos. However this can be broken as there are no sufficient checks in TodosController#add_predecessor. Therefore it's possible to have a Todo have itself as a predecessor, for multiple Dependencies to form a cycle, or to have multiple dependencies between the same two Todos.

The interface disallows this but it is still possible to invalidate the database by sending custom http post requests or via some exposed API. This defect has minor severity but should be reported.