daniel.haxx.se

curl and libcurl, written in C, exist outside standard package ecosystems like npm, Go, or Rust. This makes them invisible to SBOM generators, dependency scanners, and tools that rely on package managers to map software dependencies. PURLs (Package URLs) also can't represent curl since it belongs to no ecosystem. Because curl is often bundled with operating systems or distributed as source tarballs, automated tools typically stop tracking dependencies at the layer above curl, missing it entirely. GitHub's dependency graph illustrates this starkly: despite curl being installed in roughly 30 billion places, GitHub lists only one dependent repository — and that one appears to be a mistake.

Dependency tracking is hard