Open Source Components

A beautiful Finnish sunset over a body of water.
Open-Source Software Inventory — Avrea

Open-Source Software Inventory

Last updated: 2026-04-14

Bundled Upstream Projects (pkgs/)

ProjectLanguageLicense (SPDX)Notes
cloud-hypervisor Rust Apache-2.0 BSD-3-Clause VMM; CC-BY-4.0 for docs
vector Rust MPL-2.0 Observability data pipeline
otelcol-contrib Go Apache-2.0 OpenTelemetry Collector contrib
bazel-remote Go Apache-2.0 Remote build cache server
turbo-cache-server Rust/JS MIT Turborepo remote cache
pybase64 Python/C BSD-2-Clause Base64 encoding (RPM wrapper)
turbopuffer-python Python MIT Vector DB client (RPM wrapper)
avrea-compliance LicenseRef-Proprietary Internal, not OSS

Container Base Images

ImageLicense (SPDX)Used by
golang:1.24-alpine BSD-3-Clause packages-cache, git-s3-proxy
golang:1.26-alpine BSD-3-Clause build-cache-proxy, gha-cache-proxy
alpine:3.21 MIT All Go services (runtime stage)
quay.io/fedora/fedora:43 MIT control, gcs-proxy

Python Dependencies

control (API / executor / billing)

PackageLicense (SPDX)Purpose
fastapiMITWeb framework
uvicornBSD-3-ClauseASGI server
pydanticMITData validation
pydantic-settingsMITConfiguration
httpxBSD-3-ClauseAsync HTTP client
aiohttpApache-2.0 MITAsync HTTP (MIT for vendored llhttp)
psycopgLGPL-3.0-onlyPostgreSQL driver
psycopg-poolLGPL-3.0-onlyConnection pooling
sqlidecarLicenseRef-ProprietarySQL tooling (internal)
jinja2BSD-3-ClauseTemplating
cryptographyApache-2.0 OR BSD-3-ClauseCrypto primitives
bcryptApache-2.0Password hashing
pyjwtMITJWT tokens
paramikoLGPL-2.1SSH client
websocketsBSD-3-ClauseWebSocket support
google-authApache-2.0GCP authentication
google-auth-oauthlibApache-2.0GCP OAuth
google-cloud-computeApache-2.0GCP Compute API
google-cloud-secret-managerApache-2.0GCP Secrets
google-cloud-storageApache-2.0GCP Storage
boto3Apache-2.0AWS SDK
valkeyMITValkey/Redis client
cachetoolsMITIn-memory caching
aiocacheBSD-3-ClauseAsync caching
slowapiMITRate limiting
sendgridMITEmail
twilioMITSMS
stripeMITPayments
turbopufferMITVector DB
sentry-sdkMITError tracking
opentelemetry-apiApache-2.0Observability
opentelemetry-sdkApache-2.0Observability
opentelemetry-exporter-otlp-proto-grpcApache-2.0OTel export
opentelemetry-instrumentation-fastapiApache-2.0OTel instrumentation
promql-parserMITPromQL parsing
weasyprintBSD-3-ClausePDF generation
pyyamlMITYAML parsing
coloramaBSD-3-ClauseTerminal colors
platformdirsMITPlatform directories
asgi-correlation-idMITRequest correlation
watchfilesMITFile watching
aiofilesApache-2.0Async file I/O

gcs-proxy

PackageLicense (SPDX)Purpose
fastapiMITWeb framework
uvicornBSD-3-ClauseASGI server
google-cloud-storageApache-2.0GCP Storage
httpxBSD-3-ClauseHTTP client

smithy (Fedora agent)

PackageLicense (SPDX)Purpose
aiohttpApache-2.0 MITAsync HTTP
paramikoLGPL-2.1SSH
pynaclApache-2.0Crypto
psutilBSD-3-ClauseSystem metrics
pydanticMITValidation
pyyamlMITYAML
websocketsBSD-3-ClauseWebSocket
fastapiMITWeb framework
hypercornMITASGI server
turbopufferMITVector DB
sentry-sdkMITError tracking
urllib3MITHTTP

smithy (macOS agent)

Same as Fedora smithy, plus:

PackageLicense (SPDX)Purpose
pyinstallerGPL-2.0-or-later WITH Bootloader-ExceptionApp bundling (build tool only)

create-installation-media

PackageLicense (SPDX)Purpose
asyncsshEPL-2.0Async SSH
clickBSD-3-ClauseCLI framework
coloramaBSD-3-ClauseTerminal colors

avr-cli

PackageLicense (SPDX)Purpose
clickBSD-3-ClauseCLI framework
httpxBSD-3-ClauseHTTP client
platformdirsMITPlatform dirs
prettytableBSD-3-ClauseTable formatting
pydanticMITValidation
typing-extensionsPSF-2.0Type backports

cli (avr-admin)

PackageLicense (SPDX)Purpose
psycopgLGPL-3.0-onlyPostgreSQL
bcryptApache-2.0Hashing
cryptographyApache-2.0 OR BSD-3-ClauseCrypto
google-cloud-runApache-2.0GCP Cloud Run
google-cloud-storageApache-2.0GCP Storage
pyjwtMITJWT
paramikoLGPL-2.1SSH

Go Dependencies

Direct dependencies (across all first-party services)

PackageLicense (SPDX)Used by
github.com/aws/aws-sdk-go-v2Apache-2.0build-cache-proxy, gha-cache-proxy, git-s3-proxy, packages-cache
github.com/aws/smithy-goApache-2.0(transitive)
github.com/google/uuidBSD-3-Clausebuild-cache-proxy, gha-cache-proxy, git-s3-proxy
github.com/klauspost/compressBSD-3-Clausebuild-cache-proxy
github.com/bradfitz/go-tool-cacheBSD-3-Clausebuild-cache-proxy
github.com/golang-jwt/jwt/v5MITshared, git-s3-proxy
github.com/dgraph-io/ristretto/v2Apache-2.0packages-cache
github.com/coder/websocketISCgha-cache-proxy
github.com/swaggo/swagMIToci-proxy
github.com/go-openapi/*Apache-2.0oci-proxy (transitive)
github.com/stretchr/testifyMIToci-proxy (transitive)
google.golang.org/grpcApache-2.0build-cache-proxy
google.golang.org/protobufBSD-3-Clausebuild-cache-proxy
go.opentelemetry.io/otelApache-2.0build-cache-proxy (transitive)
gopkg.in/yaml.v3MIT Apache-2.0build-cache-proxy, gha-cache-proxy, packages-cache, oci-proxy

Go standard extended (golang.org/x/*)

PackageLicense (SPDX)
golang.org/x/syncBSD-3-Clause
golang.org/x/netBSD-3-Clause
golang.org/x/timeBSD-3-Clause
golang.org/x/modBSD-3-Clause
golang.org/x/toolsBSD-3-Clause
golang.org/x/sysBSD-3-Clause
golang.org/x/textBSD-3-Clause

Other indirect Go dependencies

PackageLicense (SPDX)
github.com/cespare/xxhash/v2MIT
github.com/dustin/go-humanizeMIT
github.com/KyleBanks/depthMIT

JavaScript / TypeScript Dependencies (console)

Runtime

PackageLicense (SPDX)Purpose
reactMITUI framework
react-domMITDOM rendering
wouterUnlicenseRouting
tailwindcssMITCSS framework
@tailwindcss/viteMITVite integration
tailwind-mergeMITClass merging
@radix-ui/react-dialogMITDialog primitive
@radix-ui/react-dropdown-menuMITDropdown primitive
@radix-ui/react-slotMITSlot primitive
@radix-ui/react-tooltipMITTooltip primitive
@base-ui/reactMITUI components
radix-uiMITUI components
lucide-reactISCIcons
@tanstack/react-tableMITData tables
react-hook-formMITForms
zodMITSchema validation
nuqsMITURL query state
rechartsMITCharts
d3ISCData visualization
@types/d3MITD3 type definitions
motionMITAnimation
vaulMITDrawer component
react-day-pickerMITDate picker
react-async-hookMITAsync hooks
date-fnsMITDate utilities
luxonMITDate/time library
lodashMITUtility library
clsxMITClass concatenation
class-variance-authorityApache-2.0Class variants
@sentry/reactMITError tracking
@stripe/react-stripe-jsMITStripe React bindings
@stripe/stripe-jsMITStripe JS SDK
@fontsource/sorts-mill-goudyOFL-1.1Font
free-email-domains-listMITEmail validation

Dev / Build

PackageLicense (SPDX)Purpose
viteMITBuild tool
typescriptApache-2.0Type checking
@vitejs/plugin-reactMITReact plugin
babel-plugin-react-compilerMITReact compiler
@biomejs/biomeMIT OR Apache-2.0Linter/formatter
vitestMITTest runner
@testing-library/reactMITTest utilities
storybookMITComponent dev
@storybook/react-viteMITStorybook Vite integration
jsdomMITDOM emulation
knipISCDead code detection
sharpApache-2.0Image processing
blurhashMITImage placeholders
tw-animate-cssMITAnimations
vite-nodeMITVite scripting
vite-plugin-checkerMITBuild-time type checking
@types/lodashMITLodash types
@types/luxonMITLuxon types
@types/nodeMITNode.js types
@types/reactMITReact types
@types/react-domMITReact DOM types

Dev / CI Tooling

ToolLicense (SPDX)Purpose
uvMIT OR Apache-2.0Python package manager
ruffMITPython linter/formatter
tyMITPython type checker
pytestMITPython test framework
pytest-asyncioApache-2.0Async test support
pytest-covMITCoverage plugin
pytest-httpxMITHTTPX test mocking
pytest-xdistMITParallel test execution
ipythonBSD-3-ClauseInteractive Python
golangci-lintGPL-3.0-onlyGo linter
bunMITJS runtime/bundler
OpenTofuMPL-2.0Infrastructure as code

GitHub Actions

ActionLicense (SPDX)
actions/checkoutMIT
actions/setup-pythonMIT
actions/setup-goMIT
actions/upload-artifactMIT
actions/download-artifactMIT
google-github-actions/authApache-2.0
astral-sh/setup-uvMIT
oven-sh/setup-bunMIT
opentofu/setup-opentofuApache-2.0
golangci/golangci-lint-actionMIT
anchore/sbom-actionApache-2.0
anchore/scan-actionApache-2.0

License Summary

~75 MIT
~30 Apache-2.0
~25 BSD-3-Clause
4 ISC
LicenseCount
MIT~75
Apache-2.0~30
BSD-3-Clause~25
ISC4
LGPL-3.0-only2 (psycopg, psycopg-pool)
LGPL-2.11 (paramiko)
MPL-2.02 (vector, OpenTofu)
GPL-2.0-or-later WITH Bootloader-Exception1 (pyinstaller, build tool only)
GPL-3.0-only1 (golangci-lint, build tool only)
EPL-2.01 (asyncssh)
BSD-2-Clause1 (pybase64)
OFL-1.11 (font)
PSF-2.01 (typing-extensions)
Unlicense1 (wouter)
LicenseRef-Proprietary2 (sqlidecar, avrea-compliance)

Copyleft Notices

The following dependencies use copyleft licenses and may carry distribution obligations:

  • psycopg / psycopg-pool LGPL-3.0-only — dynamically linked via Python import; LGPL allows use without source disclosure for the consuming application when dynamically linked.
  • paramiko LGPL-2.1 — same dynamic linking treatment as psycopg.
  • vector MPL-2.0 — file-level copyleft; modifications to MPL-licensed files must be shared, but proprietary code in separate files is permitted.
  • OpenTofu MPL-2.0 — IaC tool, not distributed with the application.
  • golangci-lint GPL-3.0-only — dev/CI tool only, not distributed.
  • pyinstaller GPL-2.0-or-later WITH Bootloader-Exception — build tool; bootloader exception permits distribution of bundled apps without GPL obligations on app code.
  • asyncssh EPL-2.0 — weak copyleft similar to LGPL; modifications to EPL-licensed code must be shared, but does not propagate to the consuming application.

Your next build can already be a fast one.

Start shipping with Avrea.

Try it for free
Talk to an engineer
Go to home page
© 2026 Avrea Ltd
  • iso certification
avrea capybara walking in a fieldavrea capybara walking in a fieldavrea capybara walking in a field