January 2026
Will AI Make Package Managers Redundant?
Following the prompt registry idea to its logical conclusion.
Zig and the M×N Supply Chain Problem
Zig's long road to supply chain security.
The Dependency Layer in Digital Sovereignty
Where package management fits in the digital sovereignty discussion.
The C-Shaped Hole in Package Management
System package managers and language package managers are solving different problems that happen to overlap in the middle.
Introducing Package Chaos Monkey
Resilience engineering for your software supply chain.
PkgFed: ActivityPub for Package Releases
Follow [email protected] from your Mastodon account
Rewriting git-pkgs in Go
The dependency history tool is now a single Go binary.
Package Management is a Wicked Problem
Why fixing package managers is harder than it looks.
A Protocol for Package Management
A shared vocabulary for resolution, publishing, and governance across ecosystems.
An AI Skill for Skeptical Dependency Management
A skill that makes Claude Code evaluate packages before suggesting them.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness
You are not paid to find good options. You are paid to choose.
importmap.lock: a lockfile for the web
Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.
A Jepsen Test for Package Managers
Applying Jepsen-style adversarial testing to package managers.
Workspaces and Monorepos in Package Managers
How various package managers implement workspaces and their relationship with monorepos.
Lockfile Format Design and Tradeoffs
Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Package Manager People
People who built, maintain, or research package managers.
Package Manager Glossary
A cross-ecosystem glossary of package management terms.
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
Package Management Blog Posts
Blog posts, talks, and essays that changed how people think about dependency management.
brew-vulns: CVE scanning for Homebrew
A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
The Nine Levels of JavaScript Dependency Hell
Come, I will show you what I have seen.
Making git-pkgs feel like Git
What it takes to make a git subcommand feel native.
The Package Management Landscape
A directory of tools, systems, and services that relate to package management.
How Dependabot Actually Works
Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
git-pkgs: explore your dependency history
A git subcommand to explore the dependency history of your repositories.