sbom.day

Software Bill of Materials — Field Expedition Log

OpenSSL

Specimen 0x7A3F

openssl@3.1.4

License: Apache-2.0

Dependencies: 3

Foundational cryptographic organism. Deeply rooted in the ecosystem substrate.

2026.03.31 — 08:14 UTC

Initial scan reveals a thriving ecosystem. Dependencies branch like root systems into darkness.

React

Specimen 0xB2C1

react@18.2.0

License: MIT

Dependencies: 7

Dominant canopy species. Its reactive lifecycle permeates the entire biome.

Lodash

Specimen 0x44DE

lodash@4.17.21

License: MIT

Dependencies: 0

Ancient utility organism. Self-contained. Shows signs of evolutionary stasis.

PACKAGES: 247 DIRECT DEPS: 34 TRANSITIVE: 213 LICENSES: 12 types

Express

Specimen 0x91FA

express@4.18.2

License: MIT

Dependencies: 31

Massive root network. This organism supports entire colonies above it.

2026.03.31 — 08:27 UTC

The supply chain extends deeper than initial probe suggested. Cataloguing continues.

Webpack

Specimen 0xC7B8

webpack@5.88.0

License: MIT

Dependencies: 78

Bundle organism. Consumes and transforms other species into deployable forms.

TypeScript

Specimen 0xE2A4

typescript@5.3.3

License: Apache-2.0

Dependencies: 0

Type-enforcement symbiont. Strengthens host organisms through structural validation.

SCAN DEPTH: 7 layers CONNECTIONS: 1,847 ORPHANS: 3

The network reveals itself in layers. Beneath the surface dependencies — the ones declared, the ones known — lies a vast mycelial web of transitive relationships. Each package pulls dozens more into existence. The supply chain is not a chain at all; it is a living mesh, breathing, growing, occasionally dying in silence where no one monitors.

We trace the connections. OpenSSL threads through 43% of all specimens. A single point of failure, beautiful and terrifying in equal measure — a keystone species whose removal would collapse the canopy above.

CRITICAL PATH: openssl → node → express → app MAX DEPTH: 12

Log4j

PATHOLOGY: 0xDEAD

log4j@2.14.1

CVE-2021-44228 — Log4Shell

CVSS: 10.0 / CRITICAL

Remote code execution. The organism has been fully compromised — its neural pathways hijacked by an external parasite. Immediate quarantine recommended.

Colors

PATHOLOGY: 0xBADF

colors@1.4.1

Supply Chain Attack — Maintainer Sabotage

SEVERITY: HIGH

Self-destructive mutation introduced by the organism's own creator. An act of ecological protest — the species chose to die rather than be exploited.

2026.03.31 — 09:03 UTC

Three compromised specimens identified. The infection vectors vary — some external, some self-inflicted. The ecosystem bears its scars.

event-stream

PATHOLOGY: 0xF00D

event-stream@3.3.6

Malicious Dependency Injection

SEVERITY: CRITICAL

A trusted organism was colonized by an invasive species disguised as a maintainer. The parasite targeted cryptocurrency wallets specifically.

The expedition concludes not with answers but with awareness. Every application we build is a biome — a living, interdependent system where a single mutation can cascade through thousands of species. The Software Bill of Materials is not merely an inventory. It is a field guide to the organisms we have invited into our world, knowingly or not.

Know your dependencies. They are alive.

— End of Field Log, Expedition SBOM-2026-03-31 —