Package Dashboard: A Cross-Ecosystem Framework for Dual-Perspective Analysis of Software Packages

TL;DR

Package Dashboard offers a comprehensive cross-ecosystem platform for analyzing software supply chain risks by integrating package metadata, vulnerability data, and community health metrics, thereby enhancing transparency and risk assessment.

Contribution

It introduces a novel unified framework that combines dependency resolution and repository analysis across multiple ecosystems for holistic supply chain risk analysis.

Findings

Analyzed 374,000 packages across five Linux distributions.

Uncovered risks like archived or inaccessible repositories.

Improved risk detection beyond traditional vulnerability assessments.

Abstract

Software supply chain attacks have revealed blind spots in existing SCA tools, which are often limited to a single ecosystem and assess either software artifacts or community activity in isolation. This fragmentation across tools and ecosystems forces developers to manually reconcile scattered data, undermining risk assessments. We present Package Dashboard, a cross-ecosystem framework that provides a unified platform for supply chain analysis, enabling a holistic, dual-perspective risk assessment by integrating package metadata, vulnerability information, and upstream community health metrics. By combining dependency resolution with repository analysis, it reduces cognitive load and improves traceability. Demonstrating the framework's versatility, a large-scale study of 374,000 packages across five Linux distributions shows its ability to uncover not only conventional vulnerabilities and license conflicts but also overlooked risks such as archived or inaccessible repositories. Ultimately, Package Dashboard provides a unified view of risk, equipping developers and DevSecOps engineers with actionable insights to strengthen the transparency, trustworthiness, and traceability of open-source ecosystems. Package Dashboard is publicly available at https://github.com/n19htfall/PackageDashboard, and a demonstration video can be found at https://youtu.be/y9ncftP8KPQ. Besides, the online version is available at https://pkgdash.osslab-pku.org.