Like the blog posts and papers collections, this is a running list of podcast episodes where people who build and maintain package managers talk about their work. Grouped by ecosystem, with a few cross-cutting episodes at the end.
The Manifest (manifest.fm) is a podcast dedicated entirely to package management, hosted by Alex Pounds and me. I’ve listed its episodes under the relevant ecosystems below rather than in a separate section.
JavaScript / TypeScript
JavaScript Jabber #052: Node npm (Isaac Schlueter, 2013). Early discussion of npm’s role in the Node ecosystem, semantic versioning, and module discovery.
The Changelog #101: npm Origins and Node.js (Isaac Schlueter, 2013). npm’s creator on its origins and how to get paid to do open source.
JavaScript Jabber #099: npm, Inc. (Isaac Schlueter, Laurie Voss, and Rod Boothby, 2014). The founding of npm, Inc. and turning a community project into a company.
JavaScript Jabber #127: Changes in npm Land (Forrest Norvell, Rebecca Turner, Ben Coe, and Isaac Schlueter, 2014). The full npm team on what was changing inside the registry and CLI.
JavaScript Jabber #174: npm 3 (Rebecca Turner and Forrest Norvell, 2015). The npm tech lead on npm 3’s changes to dependency tree flattening.
JavaScript Air #047: Yarn (Sebastian McKenzie, Konstantin Raev, Yehuda Katz, and Christoph Pojer, 2016). The original Yarn team explaining why they built it, recorded right after launch.
JavaScript Jabber #266: npm 5.0 (Rebecca Turner, 2017). npm 5’s lockfile, performance improvements, and the design decisions behind them.
JavaScript Jabber #294: Node Security (Adam Baldwin, 2018). The Node Security Platform, dependency vulnerabilities, and integrating security into npm workflows.
Founders Talk #61: Building npm and Hiring a CEO (Isaac Schlueter, 2019). Isaac on the journey of hiring his successor and the business side of running npm.
The Undefined Podcast: The Future of JavaScript Tooling (Sebastian McKenzie, 2019). The Babel and Yarn creator on open source burnout, working at Facebook, and the Rome project.
The Changelog #326: The event-stream compromise (Dominic Tarr, 2018). The maintainer whose package was hijacked explains how it happened. The best incident postmortem in podcast form.
JavaScript Jabber #357: event-stream Package Vulnerabilities (Richard Feldman and Hillel Wayne, 2019). The event-stream attack from the community’s perspective, and whether paying maintainers would improve security.
The Changelog #355: The Economics of Open Source (CJ Silverio, 2019). npm’s former CTO on who owns the JavaScript commons, VC-funded registries, and the Entropic federated alternative.
JavaScript Jabber #366: npm (Mikeal Rogers, 2019). Node.js history, alternate CLIs, Pika, import maps, and where package management was heading.
The Manifest #9: Typosquatting (Adam Baldwin). Security in npm, typosquatting attacks, and what exploits look like in practice.
PodRocket: What makes pnpm performant (Zoltan Kochan, 2022). pnpm’s creator on its content-addressable store and symlink architecture.
devtools.fm #154: pnpm and the Future of Package Management (Zoltan Kochan). How pnpm revolutionized dependency installation in the JavaScript ecosystem.
Software Engineering Daily: pnpm (Zoltan Kochan, 2025). pnpm’s background and where package management in the web is heading.
The Changelog #443: Exploring Deno Land (Ryan Dahl, 2021). Only Ryan Dahl’s second podcast appearance. Covers the full arc from Node regrets to Deno.
Syntax #737: JSR: The New TypeScript Package Registry (Luca Casonato, 2024). JSR’s design as an ESM-only, TypeScript-first registry that complements npm.
Syntax #815: Deno 2 (Ryan Dahl, 2024). Deno 2’s npm package support, web standards, and framework integration.
JS Party #282: The massive bug at the heart of npm (Darcy Clarke, 2023). A deep technical disclosure of an integrity bug in the npm registry.
Syntax #688: vlt with Darcy Clarke (Darcy Clarke). Darcy introduces vlt, a next-generation package manager and registry.
JS Party #295: Reflecting on Bun’s big launch (Jarred Sumner, 2023). Bun 1.0, its relationship to Node, and how a VC-backed startup sustains an open source runtime.
JavaScript Jabber #524: Supply Chain Security, Part 1 (Feross Aboukhadijeh, 2022). Malware trends targeting npm dependencies and how Socket detects them beyond traditional vulnerability scanning.
JavaScript Jabber #525: Supply Chain Security, Part 2 (Feross Aboukhadijeh, 2022). Continued discussion on shifting mindsets around dependencies and understanding dependency lifecycle management.
The Changelog #482: Securing the open source supply chain (Feross Aboukhadijeh). Socket’s launch and the broader problem of npm supply chain security.
Python
Podcast.__init__ #54: Pip and the Python Package Authority (Donald Stufft, 2016). pip and PyPI’s primary maintainer on the work involved in keeping them running.
Talk Python To Me #64: Inside the Python Package Index (Donald Stufft, 2016). PyPI handling over 300 TB of traffic per month and the infrastructure behind it.
Talk Python To Me #159: Inside the new PyPI launch (Nicole Harris, Ernest Durbin III, and Dustin Ingram, 2018). The launch of pypi.org replacing the legacy system after 15+ years.
Podcast.__init__ #264: Dependency Management Improvements in Pip’s Resolver (Pradyun Gedam, Tzu-ping Chung, and Paul Moore, 2020). The new pip dependency resolver, its design, and the challenge of writing good error messages.
Talk Python To Me #377: Python Packaging and PyPI in 2022 (Dustin Ingram, 2022). 2FA rollout, securing the supply chain, and the state of PyPI.
Talk Python To Me #406: Reimagining Python’s Packaging Workflows (Steve Dower, Pradyun Gedam, Ofek Lev, and Paul Moore, 2023). How the packaging landscape expanded with Poetry, Hatch, PDM, and others.
Talk Python To Me #453: uv - The Next Evolution in Python Packages? (Charlie Marsh, 2024). uv’s initial launch as a pip replacement.
The Changelog #660: Reinventing Python tooling with Rust (Charlie Marsh, 2025). Why Python, why Rust, how Astral makes everything fast.
Talk Python To Me #476: Unified Python packaging with uv (Charlie Marsh, 2024). uv’s expansion from pip replacement to full project manager.
Talk Python To Me #520: pyx - the other side of the uv coin (Charlie Marsh, 2025). Astral’s Python-native package registry and how it complements PyPI.
SE Radio #622: Wolf Vollprecht on Python Tooling in Rust (Wolf Vollprecht, 2024). Mamba and Pixi, building Python infrastructure in Rust.
Talk Python To Me #439: Pixi, A Fast Package Manager (Wolf Vollprecht and Ruben Arts, 2023). Pixi’s high-performance package management with full conda compatibility.
Talk Python To Me #115: Python for Humans projects (Kenneth Reitz, 2017). Requests, pipenv, and the philosophy behind them.
The Python Show #41: Python Packaging and FOSS with Armin Ronacher (Armin Ronacher, 2024). The creator of Flask and Rye on the state of Python packaging and open source sustainability.
Open Source Security Podcast: Python security with Seth Larson (Seth Larson, 2024). What happens when open source developers are paid to do security work.
Talk Python To Me #435: PyPI Security (Mike Fiedler, 2023). PyPI’s safety and security engineer on malware detection, trusted publishers, and the 2FA mandate for all publishers.
Ruby
The Manifest #3: RubyGems with Andre Arko (Andre Arko, 2017). How he became lead maintainer of RubyGems and Bundler, and what led to Ruby Together.
Ruby Rogues #45: Bundler (Andre Arko, 2012). Early, in-depth discussion of Bundler’s design and purpose.
Rooftop Ruby #23: Head of Open Source at Ruby Central (Andre Arko, 2023). His journey to Bundler, how Ruby Together came to be, and continuing that work at Ruby Central.
Friendly Show #5: How we got RubyGems and Bundler (Andre Arko, 2023). The full history of RubyGems and Bundler, the cost of maintaining them (~$500k/month), and future plans.
The Rails Changelog #19: Exploring RubyGems (Jenny Shen). The mechanics of dependency resolution in RubyGems, including compact indexes.
Changelog & Friends #113: The RubyGems Debacle (Mike McQuaid and Justin Searls, 2025). The Ruby Central governance controversy, money in open source, and what sustainability means.
Rust
The Manifest #8: Cargo and Crates.io (Carol Nichols, 2017). The features that make Cargo the envy of other package managers, and the sustainability of the Rust ecosystem.
The Changelog #151: The Rust Programming Language (Steve Klabnik and Yehuda Katz, 2015). Yehuda Katz designed Cargo by rolling up five years of innovation from Bundler, Node, and Go.
Open Source Security Podcast: crates.io trusted publishing (Tobias Bieniek, 2025). Steps crates.io is taking to enhance supply chain security through trusted publishing.
Go
The Manifest #4: Go dep (Sam Boyer, 2017). Package management for Go, SAT-solving, and dependency resolution before Go modules existed.
Go Time #77: Dependencies and the future of Go (Russ Cox, 2018). The Go tech lead on the Vgo proposal that became Go modules.
Go Time #188: SIV and the V2+ issue (Tim Heckman and Peter Bourgon, 2021). Semantic import versioning and the community friction it caused.
Go Time #321: Dependencies are dangerous (panel, 2024). The polyfill.io supply chain attack and Go’s “a little copying is better than a little dependency” proverb.
Go Time #86: Go modules and the Athens project (Marwan Sulaiman and Aaron Schlesinger, 2019). How Go module proxies work, the Athens project, and the transition from GOPATH to modules.
SE Radio #489: Sam Boyer on Package Management (Sam Boyer, 2021). A broad, ecosystem-agnostic discussion of package management as a discipline.
PHP
The Manifest #15: Packagist (Nils Adermann, 2019). PHP package management with Composer and Packagist from its co-creator.
Dart
The Manifest #5: Pub (Natalie Weizenbaum, 2017). How Dart’s pub works and a new algorithm for better dependency resolution errors, which became PubGrub.
Java / JVM
The Manifest #6: Maven (Brian Fox, 2017). The history of Maven Central, how Minecraft DDoS’d the service, and the future of Java dependency management.
The Manifest #12: Clojars (Daniel Compton, 2019). Clojars, the Clojure package registry, and its relationship to Maven.
OpenSSF “What’s in the SOSS?” #9: Downloading Known Vulnerabilities (Brian Fox, 2024). Why 96% of vulnerable downloads from Maven Central had known fixes available.
TechCast #53: Gradle Creators, Part 1 (Hans Dockter and Adam Murdoch, 2010). Gradle’s creators on the build system’s design and origins.
TechCast #54: Gradle Creators, Part 2 (Hans Dockter and Adam Murdoch, 2010). Continuation of the Gradle discussion.
SE Radio #628: Hans Dockter on Developer Productivity (Hans Dockter, 2024). Gradle’s creator on developer productivity and build tooling.
Swift / Apple
The Manifest #2: CocoaPods (Orta Therox, 2017). How CocoaPods grew, the arrival of Swift Package Manager, and the Danger project.
Swift by Sundell #75: The Swift Package Ecosystem (Dave Verwer and Sven A. Schmidt, 2020). The Swift Package Index launch and the state of the Swift package ecosystem.
.NET
Hanselminutes #238: NuGet Package Management with Phil Haack (Phil Haack, 2010). Recorded during PDC week, this is essentially the launch episode for .NET’s package manager, back when it was still called NuPack.
C / C++
The Manifest #13: Conan (Diego Rodriguez-Losada, 2019). Package management problems specific to C/C++ and the road to Conan 1.0.
CppCast #56: Conan (Diego Rodriguez-Losada, 2016). Early discussion of Conan from its creator.
CppCast #153: Vcpkg (Robert Schumacher, 2018). vcpkg’s evolution from a Visual Studio migration tool to a cross-platform C/C++ dependency manager.
Haskell
Haskell Interlude #68: Michael Snoyman (Michael Snoyman, 2025). The creator of Stack and Stackage on building a build tool that “just works” for Haskell.
Elm
Elm Radio #5: How (And When) to Publish a Package (2020). Elm’s enforced semantic versioning, where the compiler diffs package APIs and rejects publishes that break compatibility without a major bump.
Elixir
Thinking Elixir #3: Hex Package Manager (Eric Meadows-Jonsson, 2020). Hex’s creator on how Elixir’s package ecosystem handles versioning and resolution.
Erlang
Mostly Erlang #067: Rebar 3 (Fred Hebert, 2015). Fred Hebert and the panel on rebar3, Erlang’s build and dependency management tool.
Perl
The Underbar #3: MetaCPAN (Olaf Alders, Mickey Nasriachi, Shawn Sorichetti, and Graham Knop, 2025). The MetaCPAN team on the project’s history and future, recorded at the Perl Toolchain Summit in Leipzig.
The Underbar #6: CPAN Testers (Doug Bell, Ruth Holloway, Ferenc Erki, and Breno G. de Oliveira, 2025). How CPAN Testers went down, and how a new team formed around its lone remaining maintainer to get things running again.
The Underbar #7: CPAN Security Group (Salve J. Nilsen, Stig Palmquist, and others, 2025). The CPAN Security Group on supply chain security for Perl’s package ecosystem.
FLOSS Weekly #246: Pinto (Jeffrey Thalhammer, 2013). Custom CPAN-like repositories with Pinto, covering why pinning dependencies matters for reproducible builds.
System package managers
The Manifest #1: Homebrew (Mike McQuaid, 2017). The lead maintainer on Homebrew’s design, how it uses GitHub as a database, and patching upstream.
The Changelog #35: Homebrew and OS X Package Management (Max Howell, 2010). Early interview with Homebrew’s creator about the project’s origins.
The Changelog #223: Homebrew and Package Management (Mike McQuaid, 2016). The 1.0.0 release and growth to almost 6000 unique contributors.
freeCodeCamp Podcast #204: Mike McQuaid (Mike McQuaid, 2026). How big open source infrastructure gets built and maintained.
The Manifest #14: Debian and Reproducible Builds (Chris Lamb, 2019). How package management works in Debian and the Reproducible Builds project.
The Changelog #437: Into the Nix Ecosystem (Domen Kozar, 2021). Nix’s origins from Eelco Dolstra’s university research, how it works as a “Swiss Army knife of DevOps,” and the road ahead.
Happy Path Programming #73: Nix - Functional Programming for Software Packaging (Domen Kozar, 2023). Nix as functional programming applied to the packaging problem.
foss-north #33: Flatpak with Alexander Larsson (Alexander Larsson, 2021). Flatpak’s creator on its design, containers, and Linux desktop application distribution.
postmarketOS Podcast #30: Natanael Copa (Natanael Copa, 2023). Alpine Linux’s creator on why apk-tools is so fast and planned improvements for future versions.
Scientific computing
The Manifest #11: Spack (Todd Gamblin). The package manager for supercomputers and the unique challenges of HPC packaging.
The Manifest #16: Conda Forge, Mamba, and Packaging Con (Wolf Vollprecht, 2021). Conda-forge, the Mamba solver, and the first Packaging-Con.
RCE 103: EasyBuild (2016). EasyBuild’s approach to managing scientific software builds on HPC systems.
FLOSSforScience EP012: EasyBuild (Kenneth Hoste, 2018). The problems of installing scientific software on HPC systems and how EasyBuild addresses them.
Cross-ecosystem
The Manifest #7: The Update Framework (Trishank Karthik Kuppusamy). TUF, a security layer for package managers that grew out of the Tor Project. Also covers Uptane for automotive package management.
The Manifest #10: Open Source Licensing (Kate Stewart). How open source licensing intersects with software packaging, from the SPDX perspective.
OpenSSF “What’s in the SOSS?” #20: Package Repository Security (Jack Cable and Zach Steindler, 2024). Trusted Publishing, which started in PyPI and spread to RubyGems and npm.
OpenSSF “What’s in the SOSS?” #21: Alpha-Omega (Michael Winser, 2024). Securing critical dependency chains one project at a time, the “fix, fork, or forego” framework for upstream vulnerabilities, and why human trust beats automated reports.
Security Now #807: Dependency Confusion (Steve Gibson, 2021). A detailed walkthrough of Alex Birsan’s dependency confusion research, where uploading packages to public registries matching internal names at Apple, PayPal, and others achieved remote code execution.
What’s missing? There are ecosystems I know less about and episodes I haven’t found. Let me know or open a PR.