3 hours ago · Banishing phantom dependencies with a SBOM The answer to this problem is a new proposal authored by Larson called PEP 770. It introduces a way to embed a Software Bill-of-Materials, or SBOM, directly into Python packages.

1 day ago · Since 2023 the Python Software Foundation has had a Security Developer-in-Residence (sponsored by the Open Source Security Foundation's vulnerability-finding "Alpha-Omega" project). And he's just published a new 11-page white paper about open source's "phantom dependencies" problem — suggestin...

4 days ago · Thursday, August 07, 2025 Unmasking Phantom Dependencies with Software Bill-of-Materials as Ecosystem Neutral Metadata The Python Software Foundation Security Developer-in-Residence, Seth Larson, published a new white paper with Alpha-Omega about the work to solve the "Phantom Dependency" problem.

6 hours ago · Python developers face "phantom dependencies"—hidden libraries sneaking into projects via dynamic imports, risking vulnerabilities and inaccurate SBOMs. Recent PSF initiatives, including a white paper and PEP 770, promote SBOM integration and reachability analysis to enhance transparency. These efforts aim to secure Python's ecosystem against …

Python packages are particularly affected by the "phantom dependency" problem, where software that isn't written in Python are included in Python packages for many reasons, such as ease of installation and compatibility with standards:

Jan 7, 2025 · The phantom dependency problem he referenced is when software components that aren’t written in Python are included in packages. Since they can’t be described using Python package metadata, they can get missed by SCA tools, making it difficult to …

Nov 5, 2024 · Solve the “ phantom dependency ” problem, where non-Python software is bundled in Python packages but not recorded in any metadata. This makes the job of software composition analysis (SCA) tools difficult or impossible.