{"id":8945,"date":"2026-06-08T06:00:00","date_gmt":"2026-06-08T06:00:00","guid":{"rendered":"https:\/\/allthingsopen.org\/?post_type=articles&#038;p=8945"},"modified":"2026-05-29T16:43:51","modified_gmt":"2026-05-29T16:43:51","slug":"dependency-auditing-across-package-ecosystems","status":"publish","type":"articles","link":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems","title":{"rendered":"You don&#8217;t know what you&#8217;re actually shipping"},"content":{"rendered":"\n<p>Most developers can name every direct dependency in their project. But how many can account for the hundreds, sometimes thousands, of indirect dependencies hiding beneath the surface? In his presentation at All Things Open, Viral Chhasatia, an Open Source Engineer in the Open Source Program Office (OSPO) at AWS, shares why the tools you use to track your dependency tree matter just as much as the code you write.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Six ecosystems, one problem: Why your SBOM is already broken\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/5HiiYoKfw8Q?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/youtube.com\/@allthingsopen?si=i8emDCINsMVWVOtv?sub_confirmation=1\" target=\"_blank\" rel=\"noreferrer noopener\">Subscribe to our All Things Open YouTube channel<\/a>&nbsp;to get notifications when new videos are available.<\/figcaption><\/figure>\n\n\n\n<p>Every software project sits on top of a dependency tree that grows in ways most developers don&#8217;t expect. You might select five direct dependencies, but each pulls in its own set, sometimes going six or seven layers deep. Docker containers that start with a base image and 20 installed packages can balloon to over 10,000 packages. That tree is never static either. Your dependencies shift based on when you build, what operating system you&#8217;re targeting, and whether you&#8217;ve pinned your versions. A Software Bill Of Materials (SBOM) generated three months ago may already be outdated.<\/p>\n\n\n\n<p class=\"has-text-align-center\"><strong>Read more: <a href=\"https:\/\/allthingsopen.org\/articles\/sbom-open-source-security-syft-grype\" type=\"articles\" id=\"6906\" target=\"_blank\" rel=\"noreferrer noopener\">SBOM&#8217;S: The essential foundation of open source security<\/a><\/strong><\/p>\n\n\n\n<p>That shifting landscape creates real risk around licensing. A project you selected for its permissive license might quietly pull in a transitive dependency under a restrictive or commercial license. These surprises tend to surface at the worst possible time, and the compliance stakes go up significantly when you move from internal use to distributing your software.<\/p>\n\n\n\n<p><strong>So how do you get visibility?<\/strong> Viral walks through demos across six ecosystems, using pip licenses and CycloneDX for Python, npm license checker for JavaScript, Maven dependency plugins for Java, go licenses for Go, cargo about for Rust, and Sift for Docker images. The common thread is that no single tool gives you the complete picture. Each package manager only sees its own ecosystem, so a containerized project built with multiple languages needs multiple tools. Go license information, for example, won&#8217;t surface properly unless you run the tooling inside your container. Viral emphasizes that developers should always review generated attribution notices for completeness rather than trusting any one tool blindly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Key takeaways<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your dependency tree is dynamic, shaped by build timing, operating system, and version pinning. Treat SBOMs as snapshots, not permanent records.<\/li>\n\n\n\n<li>Transitive dependencies carry hidden license risks that can conflict with your company&#8217;s policies or distribution requirements. Audit beyond your first order dependencies.<\/li>\n\n\n\n<li>No single tool covers every ecosystem. Use the right package manager tooling for each language in your stack and review the output for gaps.<\/li>\n<\/ul>\n\n\n\n<p>The right combination of tools and regular audits keeps your compliance posture solid and your surprises to a minimum. Know that no tool is perfect and build a review habit around the output they give you.<\/p>\n\n\n\n<p class=\"has-text-align-center\"><a href=\"https:\/\/www.youtube.com\/playlist?list=PL6kQg8bP1Ji4cbR3xHna0AqMVaSpkThwy\" type=\"link\" id=\"https:\/\/www.youtube.com\/playlist?list=PL6kQg8bP1Ji4cbR3xHna0AqMVaSpkThwy\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>\ud83d\udcfa Watch the All Things Open &#8220;Extra&#8217;s&#8221; playlist <\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More from We Love Open Source<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/allthingsopen.org\/articles\/llm-graphrag-eliminates-hallucinations-vector-rag\" type=\"articles\" id=\"8871\" target=\"_blank\" rel=\"noreferrer noopener\">Is your LLM lying to you?<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/allthingsopen.org\/articles\/zero-trust-kubernetes-context-over-credentials\">Zero trust Kubernetes: Context over credentials<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/allthingsopen.org\/articles\/sbom-open-source-security-syft-grype\" type=\"articles\" id=\"6906\" target=\"_blank\" rel=\"noreferrer noopener\">SBOM&#8217;S: The essential foundation of open source security<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/allthingsopen.org\/articles\/how-to-secure-agentic-ai-agent-identity-protocol-aip\" target=\"_blank\" rel=\"noreferrer noopener\">How to secure agentic AI with Agent Identity Protocol (AIP)<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/allthingsopen.org\/articles\/stop-opening-firewall-ports-identity-tailscale-secure-access\" target=\"_blank\" rel=\"noreferrer noopener\">Stop opening firewall ports and start using identity<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"template":"","class_list":["post-8945","articles","type-articles","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>You don&#039;t know what you&#039;re actually shipping | We Love Open Source &#8226; All Things Open<\/title>\n<meta name=\"description\" content=\"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you&#039;re really shipping.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"You don&#039;t know what you&#039;re actually shipping | We Love Open Source &#8226; All Things Open\" \/>\n<meta property=\"og:description\" content=\"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you&#039;re really shipping.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems\" \/>\n<meta property=\"og:site_name\" content=\"All Things Open\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/AllThingsOpen\" \/>\n<meta property=\"og:image\" content=\"https:\/\/allthingsopen.org\/wp-content\/uploads\/2026\/05\/SBOM_oss-supply-chain_Viral-Chhasatia_ATO.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@AllThingsOpen\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/articles\\\/dependency-auditing-across-package-ecosystems\",\"url\":\"https:\\\/\\\/allthingsopen.org\\\/articles\\\/dependency-auditing-across-package-ecosystems\",\"name\":\"You don't know what you're actually shipping | We Love Open Source &#8226; All Things Open\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#website\"},\"datePublished\":\"2026-06-08T06:00:00+00:00\",\"description\":\"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you're really shipping.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/articles\\\/dependency-auditing-across-package-ecosystems#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/allthingsopen.org\\\/articles\\\/dependency-auditing-across-package-ecosystems\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/articles\\\/dependency-auditing-across-package-ecosystems#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/allthingsopen.org\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Articles\",\"item\":\"https:\\\/\\\/allthingsopen.org\\\/articles\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"You don&#8217;t know what you&#8217;re actually shipping\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#website\",\"url\":\"https:\\\/\\\/allthingsopen.org\\\/\",\"name\":\"All Things Open\",\"description\":\"A universe of events and platforms focused on open source, open tech and the open web.\",\"publisher\":{\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#organization\"},\"alternateName\":\"ATO\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/allthingsopen.org\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#organization\",\"name\":\"All Things Open\",\"url\":\"https:\\\/\\\/allthingsopen.org\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"http:\\\/\\\/allthingsopen.org\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/2022_ATO_Logo_Red_NoDate.svg\",\"contentUrl\":\"http:\\\/\\\/allthingsopen.org\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/2022_ATO_Logo_Red_NoDate.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"All Things Open\"},\"image\":{\"@id\":\"https:\\\/\\\/allthingsopen.org\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/facebook.com\\\/AllThingsOpen\",\"https:\\\/\\\/x.com\\\/AllThingsOpen\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/all-things-open\\\/\",\"https:\\\/\\\/www.instagram.com\\\/allthingsopen\",\"https:\\\/\\\/www.youtube.com\\\/allthingsopen\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"You don't know what you're actually shipping | We Love Open Source &#8226; All Things Open","description":"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you're really shipping.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems","og_locale":"en_US","og_type":"article","og_title":"You don't know what you're actually shipping | We Love Open Source &#8226; All Things Open","og_description":"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you're really shipping.","og_url":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems","og_site_name":"All Things Open","article_publisher":"https:\/\/facebook.com\/AllThingsOpen","og_image":[{"width":1280,"height":720,"url":"https:\/\/allthingsopen.org\/wp-content\/uploads\/2026\/05\/SBOM_oss-supply-chain_Viral-Chhasatia_ATO.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@AllThingsOpen","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems","url":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems","name":"You don't know what you're actually shipping | We Love Open Source &#8226; All Things Open","isPartOf":{"@id":"https:\/\/allthingsopen.org\/#website"},"datePublished":"2026-06-08T06:00:00+00:00","description":"Viral Chhasatia walks through six package ecosystems to show why no single tool catches every dependency and how to audit what you're really shipping.","breadcrumb":{"@id":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/allthingsopen.org\/articles\/dependency-auditing-across-package-ecosystems#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/allthingsopen.org\/"},{"@type":"ListItem","position":2,"name":"Articles","item":"https:\/\/allthingsopen.org\/articles"},{"@type":"ListItem","position":3,"name":"You don&#8217;t know what you&#8217;re actually shipping"}]},{"@type":"WebSite","@id":"https:\/\/allthingsopen.org\/#website","url":"https:\/\/allthingsopen.org\/","name":"All Things Open","description":"A universe of events and platforms focused on open source, open tech and the open web.","publisher":{"@id":"https:\/\/allthingsopen.org\/#organization"},"alternateName":"ATO","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/allthingsopen.org\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/allthingsopen.org\/#organization","name":"All Things Open","url":"https:\/\/allthingsopen.org\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/allthingsopen.org\/#\/schema\/logo\/image\/","url":"http:\/\/allthingsopen.org\/wp-content\/uploads\/2021\/10\/2022_ATO_Logo_Red_NoDate.svg","contentUrl":"http:\/\/allthingsopen.org\/wp-content\/uploads\/2021\/10\/2022_ATO_Logo_Red_NoDate.svg","width":"1024","height":"1024","caption":"All Things Open"},"image":{"@id":"https:\/\/allthingsopen.org\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/AllThingsOpen","https:\/\/x.com\/AllThingsOpen","https:\/\/www.linkedin.com\/company\/all-things-open\/","https:\/\/www.instagram.com\/allthingsopen","https:\/\/www.youtube.com\/allthingsopen"]}]}},"_links":{"self":[{"href":"https:\/\/allthingsopen.org\/wp-json\/wp\/v2\/articles\/8945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/allthingsopen.org\/wp-json\/wp\/v2\/articles"}],"about":[{"href":"https:\/\/allthingsopen.org\/wp-json\/wp\/v2\/types\/articles"}],"wp:attachment":[{"href":"https:\/\/allthingsopen.org\/wp-json\/wp\/v2\/media?parent=8945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}