Existing SCA tools are confined to single ecosystems and analyze software artifacts or community activities in isolation, resulting in fragmented and inaccurate risk assessments. To address this, we propose the first cross-ecosystem package analysis framework that jointly models component security and upstream community sustainability. Our method integrates dependency resolution, multi-source metadata aggregation, and upstream community health indicators within a unified analytical platform, enabling automated detection, visual traceability, and large-scale scalable analysis. Empirically evaluated across 374,000 packages from five Linux distributions, our framework successfully identifies conventional vulnerabilities, license conflicts, and latent risks—including archived or inaccessible repositories—thereby significantly reducing developer cognitive load. The approach enhances transparency, trustworthiness, and end-to-end traceability across open-source software supply chains.

Software supply chain attacks have revealed blind spots in existing SCA tools, which are often limited to a single ecosystem and assess either software artifacts or community activity in isolation. This fragmentation across tools and ecosystems forces developers to manually reconcile scattered data, undermining risk assessments. We present Package Dashboard, a cross-ecosystem framework that provides a unified platform for supply chain analysis, enabling a holistic, dual-perspective risk assessment by integrating package metadata, vulnerability information, and upstream community health metrics. By combining dependency resolution with repository analysis, it reduces cognitive load and improves traceability. Demonstrating the framework's versatility, a large-scale study of 374,000 packages across five Linux distributions shows its ability to uncover not only conventional vulnerabilities and license conflicts but also overlooked risks such as archived or inaccessible repositories. Ultimately, Package Dashboard provides a unified view of risk, equipping developers and DevSecOps engineers with actionable insights to strengthen the transparency, trustworthiness, and traceability of open-source ecosystems. Package Dashboard is publicly available at https://github.com/n19htfall/PackageDashboard, and a demonstration video can be found at https://youtu.be/y9ncftP8KPQ. Besides, the online version is available at https://pkgdash.osslab-pku.org.