A directory of tools, libraries, registries, and standards across package management. I put this together partly as a reference, partly to track which areas I’ve covered in other posts.
Contents: Language package managers · System package managers · Frontends · Editor plugins · Universal tools · Resolution libraries · Manifest parsing · Registry software · Enterprise tools · Security tools · Metadata platforms · SBOM tools · Trusted publishing · Monorepo tools · Build tools · Research · Standards
Language package managers
Each programming language ecosystem has at least one package manager, often several. The categorizing clients post covers their resolution algorithms, lockfile strategies, and manifest formats in detail.
JavaScript/TypeScript: npm, Yarn, pnpm, Bun, Deno, jsr.io, Corepack, jspm
Python: pip, Poetry, uv, pdm, pipenv, Hatch, Conda, Mamba, Pixi
Rust: Cargo
Go: Go modules
Java/JVM: Maven, Gradle, sbt, Leiningen, Ivy, Coursier
PHP: Composer
Swift/Objective-C: Swift Package Manager, CocoaPods, Carthage
Dart: pub
Julia: Pkg
Lua: LuaRocks
Elm: elm-package
Racket: raco pkg
Zig: Zig package manager
C/C++: Conan, vcpkg, Hunter, CPM.cmake, Rez
Nim: Nimble
Fortran: fpm
Crystal: Shards
Ada: Alire
D: DUB
Scheme: AKKU
Janet: jpm
V: VPM
Raku: zef
Kotlin: Gradle
Mojo: Pixi
System package managers
Operating system package managers handle system-level software: libraries, applications, kernel modules. The categorizing registries post covers their architectures and governance.
Fedora/RHEL/CentOS: dnf, yum, rpm
Alpine: apk
openSUSE: zypper
Gentoo: Portage
Source Mage: Sorcery
Void: xbps
macOS: Homebrew, MacPorts, Fink
Windows: winget, Chocolatey, Scoop
OpenBSD: pkg_add
NetBSD: pkgsrc
DragonFly BSD: pkg
NixOS: nix
Solus: eopkg
Android: APK
Termux: pkg
Package manager frontends
Abstraction layers and graphical interfaces for system package managers.
Abstraction layers: PackageKit
GUI frontends: Synaptic, GNOME Software, Pamac, Octopi, Apper, Discover
Package converters: Alien, debtap
Local build integration: CheckInstall
Editor and IDE plugin managers
Editors and IDEs have their own package ecosystems for extensions and plugins.
Emacs: MELPA, GNU ELPA, package.el
Vim/Neovim: vim-plug, lazy.nvim, Packer
VSCode: Extensions Marketplace, Open VSX
Sublime Text: Package Control
JetBrains: Plugin Marketplace
Universal and cross-language tools
These tools work across language boundaries, managing runtimes, environments, or entire system configurations.
Universal Linux packages: Flatpak, Snap, AppImage
Reproducible environments: Nix, Guix, devbox, tea
Version/environment managers: asdf, mise, anyenv
Container registries: Docker Hub, GitHub Container Registry, Quay.io, Amazon ECR, Google Artifact Registry
Infrastructure packages: Terraform Registry, Ansible Galaxy, Puppet Forge, Chef Supermarket
Scientific computing: Conda, Mamba, Spack, EasyBuild, modules
Embedded/IoT: PlatformIO
Package format converters: fpm
Meta package managers: meta-package-manager
Dependency resolution libraries
Reusable libraries that solve the version constraint satisfaction problem. Package managers either use one of these or roll their own.
PubGrub: Conflict-driven solver with good error messages. Used by Dart’s pub, Poetry, uv, Hex, recent Bundler.
libsolv: SAT-based solver. Used by DNF, Zypper, Conda, Mamba.
Rattler: Rust implementation of Conda package management. Powers Pixi.
Molinillo: Backtracking resolver tuned for Ruby. Used by older Bundler, CocoaPods.
Clingo: Answer set programming solver. Used by Spack.
pip-resolver: pip’s backtracking resolver, built-in since pip 20.3.
CUDF: Common Upgradeability Description Format. Used by opam with external solvers.
resolvo: SAT solver for package management from the Mamba team.
Manifest and lockfile parsing
Libraries that read dependency files across ecosystems, used by security scanners, dependency update tools, and metadata platforms.
bibliothecary: Ruby library parsing 30+ manifest formats. Used by Libraries.io.
syft: Go library that parses manifests and lockfiles as part of SBOM generation.
osv-scalibr: Google’s extraction library for inventory discovery, vulnerability detection, and SBOM generation. Powers OSV-Scanner.
pipdeptree: Visualizes Python dependency trees.
npm-packlist: Determines which files npm will include in a package.
cargo-tree: Built into Cargo for dependency tree visualization.
packageurl: Libraries for parsing Package URLs in Python, Go, JavaScript, and other languages.
oras: OCI Registry As Storage, for pushing and pulling arbitrary content to OCI registries.
Version constraint parsers: node-semver, packaging (Python), Gem::Version (Ruby), semver (Go), semver (Rust)
Registry software
Self-hosted registries for private packages or local mirrors.
npm-compatible: Verdaccio
PyPI-compatible: devpi, Warehouse
Maven-compatible: Archiva
NuGet-compatible: NuGet.Server, BaGet
Docker-compatible: Harbor, Distribution, Dragonfly
Gem-compatible: Gemstash, geminabox
Go module proxy: Athens, goproxy
Cargo-compatible: Kellnr, Alexandrie
Helm-compatible: ChartMuseum, Harbor
Enterprise tools
Artifact repositories, fleet management, and package distribution for organizations.
Artifact repositories: JFrog Artifactory, Sonatype Nexus, GitHub Packages, GitLab Package Registry, AWS CodeArtifact, Azure Artifacts, Google Artifact Registry, Cloudsmith, Quay, Gitea Packages, Pulp
macOS fleet: Workbrew, Munki, AutoPkg, Jamf
Linux fleet: Landscape, SUSE Manager, Foreman, Spacewalk
Windows fleet: Intune, SCCM, PDQ
Security and analysis tools
Tools for scanning dependencies, detecting vulnerabilities, and keeping packages updated.
Vulnerability scanning: Snyk, Socket, Grype, Trivy, npm audit, pip-audit, bundler-audit, cargo-audit, safety, OSV-Scanner, Dependency-Check
Dependency updates: Dependabot, Renovate, Snyk, Depfu, pip-tools, OpenRewrite
Malware detection: Socket, Stacklok, GuardDog
License compliance: FOSSA, Snyk, Mend, Black Duck, FOSSology, licensee, ScanCode Toolkit, ScanCode.io, DejaCode, cargo-deny, pip-licenses, license_finder
Software composition analysis: Snyk, Sonatype, Black Duck, Veracode SCA, FOSSA
CI security: Zizmor, StepSecurity, Harden-Runner, OpenSSF Allstar
Fuzzing: OSS-Fuzz
GitHub Actions lockfiles: ghasum, gh-actions-lockfile
Metadata and discovery platforms
Services that aggregate package data across ecosystems.
Cross-ecosystem: ecosyste.ms, deps.dev, Libraries.io, Snyk Advisor, OpenSSF Scorecard, PurlDB
Ecosystem-specific: npms.io, bundlephobia, pkg-size, PyPI Stats, deps.rs
Cross-distro: Repology, pkgs.org
Dependency graphs: deps.dev, GitHub Dependency Graph, GitLab Dependency List, Sourcegraph
Advisory databases: OSV, GitHub Advisory Database, NVD, Snyk Vulnerability Database, RubySec, PyUp Safety DB, VulnerableCode
Package manager documentation: ecosyste.ms docs covering resolvers, archives, CLI commands, manifest examples, lifecycle hooks
SBOM and supply chain tools
Tools for generating and consuming Software Bills of Materials, and for supply chain security more broadly.
SBOM generators: Syft, Trivy, CycloneDX tools, SPDX tools, Tern, Bom, cdxgen, sbom-tool
SBOM management: sbomify, Dependency-Track, GUAC
SBOM libraries: Protobom
SBOM formats: CycloneDX, SPDX, SWID
SBOM quality: sbom-scorecard, sbomqs, ntia-conformance-checker
Provenance: SLSA, slsa-verifier, GitHub Artifact Attestations, Witness, Notary
Reproducible builds: Reproducible Builds, oss-rebuild, rebuilderd, diffoscope
Policy enforcement: OPA/Gatekeeper, Kyverno, ratify
Trusted publishing
Infrastructure for verifying package provenance and integrity.
Sigstore: Keyless signing infrastructure (cosign, fulcio, rekor). Used by npm, PyPI, and others for provenance. policy-controller enforces signature policies in Kubernetes.
The Update Framework (TUF): Framework for secure software update systems. Used by PyPI, RubyGems, Homebrew.
in-toto: Supply chain layout and verification. Ensures each step in the build pipeline was performed correctly.
SBOMit: Generates signed, in-toto attested SBOMs.
Go checksum database: sum.golang.org provides a transparency log for Go module checksums.
npm provenance: Links published packages to source commits and build logs via Sigstore.
PyPI Trusted Publishers: OIDC-based publishing from GitHub Actions, GitLab CI, and other CI providers.
Monorepo and workspace tools
Tools for managing multiple packages in a single repository.
JavaScript: Turborepo, Nx, Lerna, Rush, Bolt, npm workspaces, Yarn workspaces, pnpm workspaces
Multi-language: Bazel, Pants, Buck, Please, Nx, Repo
Task runners: Turborepo, Nx, moon, wireit
Publishing: Lerna, changesets, semantic-release, release-it
Build tools with dependency management
Build systems that include package management features.
Bazel: bzlmod
CMake: FetchContent, CPM
Meson: wraps
Container builds: Earthly, Cloud Native Buildpacks
Research
A longer list of academic work is in Package Management Papers.
Dependency analysis: FASTEN, Software Heritage, Mancoosi
Datasets: GH Archive, World of Code, npm-follower, Code Commons
Bloat detection: DepClean, deptry
Standards and specifications
Specifications that enable interoperability between tools.
Package identification: PURL, VERS, CPE, SWHID
Vulnerability exchange: OSV, CVE, CWE, OpenVEX, vexctl
Supply chain: SLSA, in-toto, TUF
Versioning: SemVer, PEP 440 (Python versions), node-semver (npm range syntax)
Container: OCI (image and distribution specs), OCI Artifacts
Signing envelopes: DSSE (Dead Simple Signing Envelope)
Missing something? Send a pull request or open an issue.