Existing package managers suffer from semantic fragmentation due to language- and operating system-specific differences, making it difficult to precisely express cross-language dependencies, versioned system or hardware requirements, and hindering effective security vulnerability tracking. To address these challenges, this work proposes Package Calculus—the first unified formal model that captures the core mechanisms of mainstream package managers through semantic reduction. Serving as an intermediate representation, Package Calculus enables translation and resolution of dependencies across heterogeneous ecosystems. The model facilitates cross-language and cross-platform dependency interoperability and supports global analysis, thereby establishing a rigorous theoretical foundation and practical pathway for dependency resolution and security research.

Package managers are legion. Every programming language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multilingual projects from expressing precise dependencies across language ecosystems; it leaves external system and hardware dependencies implicit and unversioned; it obscures security vulnerabilities that lie in the full dependency graph. We present the \textit{Package Calculus}, a formalism for dependency resolution that unifies the core semantics of diverse package managers. Through a series of formal reductions, we show how this core is expressive enough to model the diversity that real-world package managers employ in their dependency expression languages. By using the Package Calculus as the intermediate representation of dependencies, we enable translation between distinct package managers and resolution across ecosystems.