I've spent the last decade thinking about package management and git. I build Ecosyste.ms, the largest open dataset of open source metadata, tracking packages, repositories, and dependencies across ecosystems. I've worked at GitHub and Tidelift, and contributed to working groups at Alpha-Omega, OpenSSF, CycloneDX, and CHAOSS. More about me.
I'm available for consulting on package management, software supply chain security, and open source infrastructure. Learn more.
Recent Posts
-
proxy
A lightweight multi-ecosystem caching package proxy
-
Madame Semver Will See You Now
The cards do not lie.
-
The Mismeasure of Open Source
The streetlight effect in project-health scoring
-
Weekend at Bernie's
Which of your dependencies are wearing sunglasses
-
Free as in Tribbles
The next metaphor after free-as-in-puppy
-
Revisiting the 2015 Open Source Census
The riskiest projects in open source, scored a decade early
-
Package Manager Threat Models
The non-CVE half of package manager security
-
Package Manager CWEs
Recurring weakness classes in package managers
-
A GitHub for maintainers
Giving dependencies the same treatment the fork got
-
Patching and forking in package managers
What to do when upstream ghosts you
Projects
Ecosyste.ms
Tools and open datasets to support OSS.
Libraries.io
The Open source Discovery Service.
Manifest Podcast
A podcast all about package management.
node-sass
Node.js bindings to libsass (1.3B downloads)
Octobox
Take back control of your GitHub notifications.
24 Pull Requests
Giving back to open source for the holidays.Podcast Interviews
-
The world of open source metadata with Andrew Nesbitt from ecosyste.ms
Changelog Interviews #665: Building tools and open datasets to support, sustain, and secure critical digital infrastructure
-
Ecosyste.ms with Andrew Nesbitt
Open Source Security: Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more
-
Ben Nickolls & Andrew Nesbitt on Ecosyste.ms
Sustain Episode 270: Exploring ecosyste.ms, a project using open source metadata to guide funding and support key projects
-
Package Metadata Working Group with Andrew Nesbitt and Damián Vicino
CHAOSScast Episode 121: Discussing the formation and objectives of the Package Metadata Working Group within the CHAOSS community
-
Trends from UN OSS Week and OSSNA
CHAOSScast Episode 115: Reflections on UN Open Source Week in New York and CHAOSScon North America
-
Dawn Foster & Andrew Nesbitt at State of Open Con 2023
Sustain Episode 159: Andrew talks about his history with 24 Pull Requests, Libraries.io, and Ecosyste.ms
-
Untangle your GitHub notifications with Octobox
Changelog Interviews #327: How Octobox came to be and why open source maintainers love it
-
24 Pull Requests and Libraries.io
Changelog Interviews #188: A special doubleheader holiday show discussing 24 Pull Requests and Libraries.io
-
Measuring Success in Open Source
Request For Commits #3: Open source metrics and how to interpret data around dependencies and usage
-
Episode 22: Andrew Nesbitt
Bet On Yourself: Creator of Libraries.io, Dependency CI and 24 Pull Requests on solving discoverability and sustainability in open source
Presentations
-
Ecosyste.ms: Exploring Open Source Software Landscapes
Presented at EasyBuild User Meeting in 2025
-
Can my friends come too?
Presented at Brighton Ruby in 2017
-
Elasticsearch on Rails
Presented at South-West Elastic Community Meetup in 2015
-
Robotics 101
Presented at Hackference in 2014
-
Learning how to Tinker
Presented at HybridConf in 2014
-
The Rise of JavaScript Hardware Hacking
Presented at jQuery UK in 2014
-
JavaScript in the Real World
Presented at Full Frontal in 2013
-
The Future of Nodecopter
Presented at LXJS in 2013
-
Turbo Charging your workflow with Node.js
Presented at Webshaped in 2013
-
The Meetup Organisers Field Guide
Presented at Bristol IT Mega Meet in 2013
Videos
-
Panel Discussion: The Impact of Funding
With Georg Link, Dawn Foster & Alyssa Wright at OSS Summit NA 2025
-
Open source funding: you're doing it wrong
With Benjamin Nickolls at FOSDEM 2025
-
Content Addressed Package Management
Presented in 2021
-
Republishing npm dependencies to IPFS as a micro-registry
Presented in 2019
-
With a Little Help from My Friends
Presented at Bath Ruby in 2018
-
Can my friends come too?
Presented at Brighton Ruby in 2017
-
The Rise of JavaScript Hardware Hacking
Presented at jQuery UK in 2014
-
JavaScript in the Real World
Recorded at Full Frontal in 2013
-
The Future of Nodecopter
Recorded at LXJS in 2013
-
Nodecopter
Recorded at Over the Air in 2013