Organizations cannot identify which dependencies they use 2. **Unpinned dependencies** -- Using version ranges instead of exact versions or hashes 3. **Stale dependencies** -- Running versions with known, patched vulnerabilities 4. **Overly permissive CI/CD** -- Pipeline tokens with excessive permis