Discussion Topic: How is OSS embedded in web apps tracked/managed?

[ashukla13]

Discussion Topic for OSS Supply Chain Risks WG

Description of Problem:

Web app devs can embed OSS (e.g., in script tags) without using authorized package management mechanisms (e.g., npm modules sourced from an approved internal package repository. Most regulated organizations have policies against such unapproved OSS usage since they pose a security, compliance and licensing risks

How is such embedded usage of unapproved OSS identified and managed?

Potential Solutions:

To be discussed