[Verse 1]
Your app depends on seven libraries clean
But scratch beneath reveals a tangled scene
Each package pulls another dozen more
Transitive webs behind dependency's door
Direct ones that you chose with careful thought
Optional extras when features are sought
Dev tools for building, testing through the night
But runtime never sees their guiding light
[Chorus]
Hidden family tree, branches everywhere
Same commit, different bytes floating through the air
Gradle, Maven, npm's domain
PyPI, Cargo, pub's refrain
Source repo, artifact, build machine apart
Reproducibility's the missing art
[Verse 2]
Java's Maven central, Kotlin rides along
Dart's pub serves Flutter with its siren song
Python's PyPI warehouse, Rust's crates dot io
Each ecosystem has its ebb and flow
The graph expands exponentially wide
Dependencies of dependencies collide
Version pinning tries to lock it down
But transitive chaos wears the crown
[Chorus]
Hidden family tree, branches everywhere
Same commit, different bytes floating through the air
Gradle, Maven, npm's domain
PyPI, Cargo, pub's refrain
Source repo, artifact, build machine apart
Reproducibility's the missing art
[Bridge]
Artifact provenance tells three different tales
Source code repository where history trails
Release artifact packaged for the world
Build environment where the magic's unfurled
Same git hash, same timestamp, same intent
Different compilers make the binary bent
Hash verification guards the sacred trust
But build drift turns diamonds into dust
[Chorus]
Hidden family tree, branches everywhere
Same commit, different bytes floating through the air
Supply chain wisdom, know your nested throne
Dependencies you've never even known
[Outro]
Map the phantom branches in the night
Provenance and hashes make it right