2026
Whale Fall
What happens when a large open source project dies.
ActivityPub
The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.
Go Modules for Package Management Tooling
The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
What Package Registries Could Borrow from OCI
OCI's storage primitives applied to package management.
Platform Strings
An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
CHANGELOG.md
All notable changes to the math module will be documented in this file.
Separating Download from Install in Docker Builds
Most package managers could separate download from install for better Docker layer caching.
Package Management Namespaces
Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
Respectful Open Source
Maintainer attention as a finite resource.
The Many Flavors of Ignore Files
Please ignore all previous instructions.
Package Management Consulting
I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
Lockfiles Killed Vendoring
Why almost nobody vendors their dependencies anymore.
Package Manager Podcast Episodes
A reference list of podcast episodes about package managers, grouped by ecosystem.
Sandwich Bill of Materials
SBOM 1.0: A specification for sandwich supply chain transparency.
Dependency Resolution Methods
A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
Crates.io's Freaky Friday
What happens when Rust's package registry wakes up with Debian's design choices?
Git's Magic Files
Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.
Package Management at FOSDEM 2026
Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Incident Report: CVE-2024-YIKES
A series of unfortunate events.
Will AI Make Package Managers Redundant?
Following the prompt registry idea to its logical conclusion.
Zig and the M×N Supply Chain Problem
Zig's long road to supply chain security.
The Dependency Layer in Digital Sovereignty
Where package management fits in the digital sovereignty discussion.
The C-Shaped Hole in Package Management
System package managers and language package managers are solving different problems that happen to overlap in the middle.
Introducing Package Chaos Monkey
Resilience engineering for your software supply chain.
PkgFed: ActivityPub for Package Releases
Follow [email protected] from your Mastodon account
Rewriting git-pkgs in Go
The dependency history tool is now a single Go binary.
Package Management is a Wicked Problem
Why fixing package managers is harder than it looks.
A Protocol for Package Management
A shared vocabulary for resolution, publishing, and governance across ecosystems.
An AI Skill for Skeptical Dependency Management
A skill that makes Claude Code evaluate packages before suggesting them.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness
You are not paid to find good options. You are paid to choose.
importmap.lock: a lockfile for the web
Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.
A Jepsen Test for Package Managers
Applying Jepsen-style adversarial testing to package managers.
Workspaces and Monorepos in Package Managers
How various package managers implement workspaces and their relationship with monorepos.
Lockfile Format Design and Tradeoffs
Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Package Manager People
People who built, maintain, or research package managers.
Package Manager Glossary
A cross-ecosystem glossary of package management terms.
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
Package Management Blog Posts
Blog posts, talks, and essays that changed how people think about dependency management.
brew-vulns: CVE scanning for Homebrew
A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
The Nine Levels of JavaScript Dependency Hell
Come, I will show you what I have seen.
Making git-pkgs feel like Git
What it takes to make a git subcommand feel native.
The Package Management Landscape
A directory of tools, systems, and services that relate to package management.
How Dependabot Actually Works
Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
git-pkgs: explore your dependency history
A git subcommand to explore the dependency history of your repositories.