Comment by 27theo

It doesn't need them, it parses SBOMs and manifests from their ecosystems. I think you misunderstood this section of the README.

> Dependencies | SBOM / manifest parsing across npm, PyPI, Maven, Go, Ruby; flags unpinned, shadow, or non-registry deps.

The project seems like it only requires Python >= 3.9!