Package Dashboard: A Cross-Ecosystem Framework for Dual-Perspective Analysis of Software Packages
Ziheng Liu, Runzhi He, Minghui Zhou
TL;DR
The paper addresses fragmentation in software supply chain analysis by introducing Package Dashboard, a cross-ecosystem framework that fuses artifact metadata, vulnerability data, and upstream community health into a dual-perspective risk model. It details a front-end with a unified two-panel UI and a back-end orchestration layer that normalizes heterogeneous data, enriches it with OSV and Libraries.io, and builds an integrated, recursive dependency view. A large-scale study of 374,000 packages across five Linux distributions demonstrates the framework's ability to identify traditional CVEs, license conflicts, and overlooked risks such as archived repositories, enabling more transparent and actionable decision-making. The tool is publicly accessible online and demonstrates practical improvements for DevSecOps teams managing multi-ecosystem OSS risk.
Abstract
Software supply chain attacks have revealed blind spots in existing SCA tools, which are often limited to a single ecosystem and assess either software artifacts or community activity in isolation. This fragmentation across tools and ecosystems forces developers to manually reconcile scattered data, undermining risk assessments. We present Package Dashboard, a cross-ecosystem framework that provides a unified platform for supply chain analysis, enabling a holistic, dual-perspective risk assessment by integrating package metadata, vulnerability information, and upstream community health metrics. By combining dependency resolution with repository analysis, it reduces cognitive load and improves traceability. Demonstrating the framework's versatility, a large-scale study of 374,000 packages across five Linux distributions shows its ability to uncover not only conventional vulnerabilities and license conflicts but also overlooked risks such as archived or inaccessible repositories. Ultimately, Package Dashboard provides a unified view of risk, equipping developers and DevSecOps engineers with actionable insights to strengthen the transparency, trustworthiness, and traceability of open-source ecosystems. Package Dashboard is publicly available at https://github.com/n19htfall/PackageDashboard, and a demonstration video can be found at https://youtu.be/y9ncftP8KPQ. Besides, the online version is available at https://pkgdash.osslab-pku.org.