Dependencies, dependencies, dependencies. Each one can bring other dependencies and this makes understanding the software supply chain be the same level of difficulty as understanding the universe. We now have a telescope for this: GUAC, a project that has been in development for nearly a year and now reaches its v0.1 release. Find more on Google's security blog and come and join us in solving large swaths of supply chain problems/questions: https://security.googleblog.com/2023/05/announcing-launch-of-guac-v01.html