Addressing FLOSS supply-chain security and compliance challenges—such as those imposed by the EU Cyber Resilience Act—this paper presents the first systematic, quantitative analysis of vulnerability distribution across the open-source ecosystem and introduces a risk-localization framework targeting “Software Cluster Bombs.” Methodologically, it integrates dependency graph analysis, package metadata mining, risk propagation modeling, and SBOM (Software Bill of Materials) compliance assessment to identify numerous high-impact yet under-maintained critical projects. The contributions are threefold: (1) it exposes structural risks—including interface gaps and maintenance imbalances—in the FLOSS ecosystem; (2) it establishes a scalable, evidence-based monitoring methodology that supports automated SBOM generation and enhances cyber resilience; and (3) it provides regulators with empirically grounded metrics and operational tools for compliance enforcement.

Throughout computer history, it has been repeatedly demonstrated that critical software vulnerabilities can significantly affect the components involved. In the Free/Libre and Open Source Software (FLOSS) ecosystem, most software is distributed through package repositories. Nowadays, monitoring critical dependencies in a software system is essential for maintaining robust security practices. This is particularly important due to new legal requirements, such as the European Cyber Resilience Act, which necessitate that software projects maintain a transparent track record with Software Bill of Materials (SBOM) and ensure a good overall state. This study provides a summary of the current state of available FLOSS package repositories and addresses the challenge of identifying problematic areas within a software ecosystem. These areas are analyzed in detail, quantifying the current state of the FLOSS ecosystem. The results indicate that while there are well-maintained projects within the FLOSS ecosystem, there are also high-impact projects that are susceptible to supply chain attacks. This study proposes a method for analyzing the current state and identifies missing elements, such as interfaces, for future research.