Skip to content
Tech News
← Back to articles

Binary Dependencies: Identifying the Hidden Packages We All Depend On

2026-04-16 | original
read original get Dependency Management Software → more articles
Why This Matters

This article highlights the often-overlooked issue of phantom binary dependencies in software development, which pose significant risks to the security and sustainability of critical tech infrastructure. By exposing these hidden dependencies, the industry can better manage vulnerabilities and support open source maintainers, ensuring more reliable and secure systems for consumers and organizations alike.

Key Takeaways

Binary Dependencies: Identifying the Hidden Packages We All Depend On

Download the mp4 video. Or watch on YouTube

On 31 Jan 2026, I gave a talk at FOSDEM 2026 on phantom binary dependencies — packages that we depend on in binary form, even though these dependency relationships are invisible to us. If we cannot reliably identify these phantom dependencies, the sustainability and security of our tech infrastructure will be at risk, which threatens critical services such as hospitals, transportation and the internet.

You can watch my talk on this page, and I’ve included more details below, as well as a list of resources for those who want to learn more about this topic.

Abstract

When you create a software package, your work might depend on other packages. Usually, you will depend on the source code of these other packages. However, sometimes, you will depend on precompiled binaries of your dependencies. This frequently happens when calling compiled code, like C code, from other programming languages, such as Python.

In almost all ecosystems, it is difficult to keep track of binary dependencies. When you depend on a package’s source code, this is normally recorded in your manifest file — pyproject.toml , package.json and so on. However, when you depend on a package’s precompiled binaries, this information is usually not recorded anywhere. This means that the binary dependency relationship between your project and whatever you’re depending on is hidden — so we can say that you have a phantom binary dependency.

You can find detailed technical information about how binary dependencies work in my article titled How Binary Dependencies Work Across Different Languages.

Why are phantom binary dependencies important? For at least two reasons:

Sustainability . Keystone maintainers struggle to get paid because of the Open Source sustainability crisis, which makes them more vulnerable to burnout. Projects like the Open Source Pledge, the Open Source Endowment, and thanks.dev help maintainers get paid. But we have to know which maintainers we depend on to be able to pay them. If we cannot identify our binary dependencies, we cannot identify which maintainers we should support, which puts the sustainability of the Open Source ecosystem at risk, threating our global tech infrastructure.

... continue reading

Explore topics: binary dependencies phantom binary dependencies package.json python compiled code
Related:
The seven programming ur-languages (2022)
CPUs Aren't Dead. Gemma2B Out Scored GPT-3.5 Turbo on Test That Made It Famous
Understanding the FFT Algorithm (2013)
CadQuery is an open-source Python library for building 3D CAD models
Show HN: Plain – The full-stack Python framework designed for humans and agents

© 2026 GoKawiil

About | Editorial Policy | Contact