This research analyzes the ML component supply chain in modern software systems, with a case study of Hugging Face, revealing critical gaps in licensing and security practices.

• ML components often have complex dependency networks with unclear provenance
• Many models lack proper license documentation and attribution
• Security vulnerabilities can propagate through the supply chain without proper oversight
• Stronger compliance frameworks are needed as ML becomes embedded in critical systems

For security professionals, this study highlights the urgent need to develop better tools and practices for tracking ML dependencies, similar to how we manage traditional software supply chains.

The ML Supply Chain in the Era of Software 2.0: Lessons Learned from Hugging Face