Software Bill of Materials

The Manifest.toml file from Julia's package manager specifies the full graph of package depenencies, and serves as a Software Bill of Materials (SBOM).

Manifest.toml and Package Dependencies

Comprehensive Dependency Tracking

The Manifest.toml file records the entire dependency graph of a Julia project. This includes not only the direct dependencies listed in Project.toml, but also all indirect (transitive) dependencies, along with their exact versions, unique identifiers (UUIDs), source URLs, git revisions, and other metadata.

Reproducibility

By storing the precise state of every package in the environment, Manifest.toml enables any user to recreate the exact same environment using Julia’s package manager. This is achieved with the Pkg.instantiate command, which reads both Project.toml and Manifest.toml to install the specific versions of all required packages.

Immutable Record

The manifest is automatically generated and maintained by Julia’s package manager and should not be edited manually. It ensures that the environment remains consistent and reproducible across different machines and over time.

Manifest.toml as a Software Bill of Materials (SBOM)

Full Traceability

The manifest includes detailed information for each dependency, such as:

  • Package name and UUID
  • Version number
  • Source path or repository URL
  • Git revision (branch or commit)
  • Content hash of the source tree

SBOM Utility

Because it provides a complete, machine-readable list of all software components (including their provenance and versions), the manifest naturally serves as a Software Bill of Materials. This allows for:

  • Security auditing
  • License compliance checks
  • Supply chain transparency
  • Reproducibility and traceability of the software environment

Example Manifest Entry

This entry provides all necessary details for identifying, verifying, and sourcing all dependency.

[[deps.Example]]
uuid = "7876af07-990d-54b4-ab0e-23690620f79a"
version = "1.2.4"
path = "/home/user/.julia/dev/Example/"
repo-url = "[https://github.com/JuliaLang/Example.jl.git](https://github.com/JuliaLang/Example.jl.git)"
repo-rev = "master"
git-tree-sha1 = "ca3820cc4e66f473467d912c4b2b3ae5dc968444"

Comparison: Project.toml vs Manifest.toml

FilePurposeContents
Project.tomlDeclares direct dependencies and constraintsDirect dependencies, version bounds
Manifest.tomlRecords the full, resolved dependency graph (SBOM)All dependencies (direct & indirect), exact versions, source info, UUIDs, etc.