2026
Who Built This?
Tracing a dependency back to its source commit.
The Cathedral and the Catacombs
Stretching a metaphor deep into the floor.
What does Open Source mean?
A stack of incompatible expectations.
Package Manager Easter Eggs
A tour of the easter eggs hiding inside package managers.
npm's Defaults Are Bad
The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.
Git Diff Drivers
What git's diff drivers can do, from built-in language support to custom textconv filters.
The Roles of Packages
Applying Sajaniemi's roles of variables to packages across every kind of package manager.
The Top 10 Biggest Conspiracies in Open Source
I'm not connecting these dots. I'm just pointing out that the dots are there.
How to Attract AI Bots to Your Open Source Project
A practical guide to getting the engagement your project deserves.
Package Manager Mirroring
Every mirroring tool I could find, and the protocols underneath them.
The Fragmented World of Dependency Policy
Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.
Git Remote Helpers
Git can talk to anything if you write the right helper.
Guided Meditation for Developers
A practice for finding peace in your dependency tree.
What's Going On with FAIR Package Manager
Federated FAIR pivots from WordPress to TYPO3
Forge
A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.
Reviewing ENISA's Package Manager Advisory
Notes on ENISA's Technical Advisory for Secure Use of Package Managers.
git-pkgs/actions
How to add git-pkgs to your GitHub Actions workflows.
Just Use Postgres
Taking 'just use Postgres' to its logical endpoint: git push to deploy into a single Postgres process.
100 Posts
This is post number 100.
If It Quacks Like a Package Manager
Some tools waddle like package managers without learning to swim.
Announcing New Working Groups
The Open Source Foundations Consortium announces seven new working groups.
.gitlocal
Git Should Let Files Ignore Themselves
Package Manager Magic Files
Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.
Package Managers Need to Cool Down
A survey of dependency cooldown support across package managers and update tools.
Package Management is Naming All the Way Down
There are two hard problems in computer science, and package managers found at least eight of them.
Transitive Trust
You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?
Downstream Testing
Most library maintainers have no way to test against their dependents before releasing.
npm Data Subject Access Request
A response to a GDPR data subject access request.
xkcd 2347
An interactive version of the dependency comic.
Git in Postgres
Instead of using git as a database, what if you used a database as a git?
Two Kinds of Attestation
The oldest problem in computer science, but with toasters.
Reproducible Builds in Language Package Managers
Verifying that a published package was actually built from the source it claims.
Where Do Specifications Fit in the Dependency Tree?
RFC 9110 is a phantom dependency with thousands of transitive dependents.
Forge-Specific Repository Folders
Magic folders in git forges: what .github/, .gitlab/, .gitea/, .forgejo/ and .bitbucket/ do.
Whale Fall
What happens when a large open source project dies.
ActivityPub
The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.
Go Modules for Package Management Tooling
The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
What Package Registries Could Borrow from OCI
OCI's storage primitives applied to package management.
Platform Strings
An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
CHANGELOG.md
All notable changes to the math module will be documented in this file.
Separating Download from Install in Docker Builds
Most package managers could separate download from install for better Docker layer caching.
Package Management Namespaces
Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
Respectful Open Source
Maintainer attention as a finite resource.
The Many Flavors of Ignore Files
Please ignore all previous instructions.
Package Management Consulting
I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
Lockfiles Killed Vendoring
Why almost nobody vendors their dependencies anymore.
Package Manager Podcast Episodes
A reference list of podcast episodes about package managers, grouped by ecosystem.
Sandwich Bill of Materials
SBOM 1.0: A specification for sandwich supply chain transparency.
Dependency Resolution Methods
A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
Crates.io's Freaky Friday
What happens when Rust's package registry wakes up with Debian's design choices?
Git's Magic Files
Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.
Package Management at FOSDEM 2026
Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Incident Report: CVE-2024-YIKES
A series of unfortunate events.
Will AI Make Package Managers Redundant?
Following the prompt registry idea to its logical conclusion.
Zig and the M×N Supply Chain Problem
Zig's long road to supply chain security.
The Dependency Layer in Digital Sovereignty
Where package management fits in the digital sovereignty discussion.
The C-Shaped Hole in Package Management
System package managers and language package managers are solving different problems that happen to overlap in the middle.
Introducing Package Chaos Monkey
Resilience engineering for your software supply chain.
PkgFed: ActivityPub for Package Releases
Follow [email protected] from your Mastodon account
Rewriting git-pkgs in Go
The dependency history tool is now a single Go binary.
Package Management is a Wicked Problem
Why fixing package managers is harder than it looks.
A Protocol for Package Management
A shared vocabulary for resolution, publishing, and governance across ecosystems.
An AI Skill for Skeptical Dependency Management
A skill that makes Claude Code evaluate packages before suggesting them.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness
You are not paid to find good options. You are paid to choose.
importmap.lock: a lockfile for the web
Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.
A Jepsen Test for Package Managers
Applying Jepsen-style adversarial testing to package managers.
Workspaces and Monorepos in Package Managers
How various package managers implement workspaces and their relationship with monorepos.
Lockfile Format Design and Tradeoffs
Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Package Manager People
People who built, maintain, or research package managers.
Package Manager Glossary
A cross-ecosystem glossary of package management terms.
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
Package Management Blog Posts
Blog posts, talks, and essays that changed how people think about dependency management.
brew-vulns: CVE scanning for Homebrew
A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
The Nine Levels of JavaScript Dependency Hell
Come, I will show you what I have seen.
Making git-pkgs feel like Git
What it takes to make a git subcommand feel native.
The Package Management Landscape
A directory of tools, systems, and services that relate to package management.
How Dependabot Actually Works
Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
git-pkgs: explore your dependency history
A git subcommand to explore the dependency history of your repositories.