Open Source Activity in 2025

It’s been a busy year for me working full time on open source software. Here’s the stats breakdown: 9,485 contributions, 8,893 commits, 127 pull requests (117 merged), 101 issues opened, 336 PR reviews, and 53 new repositories.

I co-founded the Package Metadata Working Group within CHAOSS and continued working with Tobias Augspurger on Open Sustainable Technology, reviewing hundreds of his pull requests to curate open source projects for climate and sustainability.

ecosyste.ms gained 26 new repositories this year, including:

• dashboards - the main interface for exploring data across package ecosystems
• science - classifies open source scientific software projects
• oss-taxonomy - a structured way to categorize open source projects
• dependabot - indexes Dependabot pull requests across GitHub
• critical - database of the most critical open source packages
• mcp - Model Context Protocol server for querying package metadata
• octorule - enforce GitHub repository settings across your organization
• nexus - Maven repository indexer service
• governance - covering all aspects of governance of the ecosyste.ms project
• conditional-rate-limit.lua - Apache APISIX plugin for three-tier rate limiting
• docs - documentation website for Ecosyste.ms APIs

We also built out package manager documentation:

• package-manager-resolvers - dependency resolution algorithms
• package-manager-archives - archive formats
• package-manager-commands - cross-reference of CLI commands
• package-manager-openapi-schemas - OpenAPI specs for registry APIs
• package-manager-manifest-examples - manifest and lockfile examples
• package-managers-opml - RSS/Atom feeds for package manager releases
• package-manager-hooks - lifecycle hooks across different package managers
• typosquatting-dataset - known typosquats from security research

On the supply chain side:

• typosquatting - detect potential typosquat packages across ecosystems
• sbom - parse and generate Software Bills of Materials
• zizmor-research - analysis of 31,916 GitHub Actions for security issues
• guarddog and oss-rebuild - forks for malicious package detection and build attestation
• purl - Package URLs
• vers - VERS version comparison spec
• swhid - Software Heritage identifiers

And quite a few Ruby other general purpose gems:

• sidekiq-mcp - expose Sidekiq queues via Model Context Protocol
• hanami-sprockets - asset pipeline for Hanami without npm
• grass-ruby - Rust-based grass Sass compiler wrapper
• go-bundler - Go-style imports for Ruby (clever or cursed, depending on your perspective)
• changelog-parser - extract structured data from CHANGELOG files
• jekyll-stats - site statistics, which I wrote to analyze this blog

I gave a talk at CHAOSScon North America on the state of open source funding, using data from ecosyste.ms. The slides and data are on GitHub.

I also appeared on a few podcasts:

• The Changelog #665 - open source metadata and the “15,000 people who run the world”
• Open Source Security - cataloging open source and identifying critical packages
• Sustain #270 - ecosyste.ms and Open Source Collective collaboration on funding allocation
• CHAOSScast #121 - the Package Metadata Working Group

In December I started writing more regularly on this blog, 34 posts and 46,654 words, mostly about package management. The blog received over 1 million views this month. The posts that found the biggest audiences:

• How uv Got So Fast
• Package Managers Keep Using Git as a Database
• GitHub Actions Has a Package Manager
• Could Lockfiles Just Be SBOMs?
• How to Ruin All of Package Management

If you’ve found any of this work useful and want to support more of it, I’m on GitHub Sponsors.