I've spent the last decade thinking about package management. I build Ecosyste.ms, the largest open dataset of open source metadata, tracking packages, repositories, and dependencies across ecosystems. I've worked at GitHub and Tidelift, and contributed to working groups at Alpha-Omega, OpenSSF, CycloneDX, and CHAOSS. More about me.
I'm available for consulting on package management, software supply chain security, and open source infrastructure. Learn more.
Projects
Ecosyste.ms
Tools and open datasets to support OSS.
Libraries.io
The Open source Discovery Service.
Manifest Podcast
A podcast all about package management.
node-sass
Node.js bindings to libsass (1.3B downloads)
Octobox
Take back control of your GitHub notifications.
24 Pull Requests
Giving back to open source for the holidays.Recent Posts
-
Incident Report: CVE-2024-YIKES
A series of unfortunate events.
-
Will AI Make Package Managers Redundant?
Following the prompt registry idea to its logical conclusion.
-
Zig and the M×N Supply Chain Problem
Zig's long road to supply chain security.
-
The Dependency Layer in Digital Sovereignty
Where package management fits in the digital sovereignty discussion.
-
The C-Shaped Hole in Package Management
System package managers and language package managers are solving different problems that happen to overlap in the middle.
-
Introducing Package Chaos Monkey
Resilience engineering for your software supply chain.
-
PkgFed: ActivityPub for Package Releases
Follow [email protected] from your Mastodon account
-
Rewriting git-pkgs in Go
The dependency history tool is now a single Go binary.
-
Package Management is a Wicked Problem
Why fixing package managers is harder than it looks.
-
A Protocol for Package Management
A shared vocabulary for resolution, publishing, and governance across ecosystems.
Podcast Interviews
-
The world of open source metadata with Andrew Nesbitt from ecosyste.ms
Changelog Interviews #665: Building tools and open datasets to support, sustain, and secure critical digital infrastructure
-
Ecosyste.ms with Andrew Nesbitt
Open Source Security: Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more
-
Ben Nickolls & Andrew Nesbitt on Ecosyste.ms
Sustain Episode 270: Exploring ecosyste.ms, a project using open source metadata to guide funding and support key projects
-
Package Metadata Working Group with Andrew Nesbitt and Damián Vicino
CHAOSScast Episode 121: Discussing the formation and objectives of the Package Metadata Working Group within the CHAOSS community
-
Trends from UN OSS Week and OSSNA
CHAOSScast Episode 115: Reflections on UN Open Source Week in New York and CHAOSScon North America
-
Dawn Foster & Andrew Nesbitt at State of Open Con 2023
Sustain Episode 159: Andrew talks about his history with 24 Pull Requests, Libraries.io, and Ecosyste.ms
-
Untangle your GitHub notifications with Octobox
Changelog Interviews #327: How Octobox came to be and why open source maintainers love it
-
24 Pull Requests and Libraries.io
Changelog Interviews #188: A special doubleheader holiday show discussing 24 Pull Requests and Libraries.io
-
Measuring Success in Open Source
Request For Commits #3: Open source metrics and how to interpret data around dependencies and usage
-
Episode 22: Andrew Nesbitt
Bet On Yourself: Creator of Libraries.io, Dependency CI and 24 Pull Requests on solving discoverability and sustainability in open source
Presentations
-
Ecosyste.ms: Exploring Open Source Software Landscapes
Presented at EasyBuild User Meeting in 2025
-
Can my friends come too?
Presented at Brighton Ruby in 2017
-
Elasticsearch on Rails
Presented at South-West Elastic Community Meetup in 2015
-
Robotics 101
Presented at Hackference in 2014
-
Learning how to Tinker
Presented at HybridConf in 2014
-
The Rise of JavaScript Hardware Hacking
Presented at jQuery UK in 2014
-
JavaScript in the Real World
Presented at Full Frontal in 2013
-
The Future of Nodecopter
Presented at LXJS in 2013
-
Turbo Charging your workflow with Node.js
Presented at Webshaped in 2013
-
The Meetup Organisers Field Guide
Presented at Bristol IT Mega Meet in 2013
Videos
-
Panel Discussion: The Impact of Funding
With Georg Link, Dawn Foster & Alyssa Wright at OSS Summit NA 2025
-
Open source funding: you're doing it wrong
With Benjamin Nickolls at FOSDEM 2025
-
Content Addressed Package Management
Presented in 2021
-
Republishing npm dependencies to IPFS as a micro-registry
Presented in 2019
-
With a Little Help from My Friends
Presented at Bath Ruby in 2018
-
Can my friends come too?
Presented at Brighton Ruby in 2017
-
The Rise of JavaScript Hardware Hacking
Presented at jQuery UK in 2014
-
JavaScript in the Real World
Recorded at Full Frontal in 2013
-
The Future of Nodecopter
Recorded at LXJS in 2013
-
Nodecopter
Recorded at Over the Air in 2013