Open Source Summit North America 2025

Endor Labs coined the term "Phantom Dependency Problem" to describe dependencies that are bundled into software packages but not represented in the package metadata. This is common in many software package ecosystems, but it is most prevalent in the Python package ecosystem (PyPI) where many packages include compiled C, C++, and Rust dependencies.

Bundled software not being included in package metadata is meaning means that software composition analysis (SCA), SBOM, and vulnerability scanning tools are not able to detect the bundled software. This can cause vulnerabilities to be missed and make.

The Security Developer-in-Residence at the Python Software Foundation, Seth Larson, worked on solving to the Phantom Dependency problem for Python packaging, involving work on standards and tooling.

By the end of this session attendees will understand the Phantom Dependency problem, how it relates to Python and other packaging ecosystems, how SBOM and SCA tools work, and what work was done to make bundled dependencies measurable and what that means for users.