March 2026

All posts

npm's Defaults Are Bad

The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.

Git Diff Drivers

What git's diff drivers can do, from built-in language support to custom textconv filters.

The Roles of Packages

Applying Sajaniemi's roles of variables to packages across every kind of package manager.

The Top 10 Biggest Conspiracies in Open Source

I'm not connecting these dots. I'm just pointing out that the dots are there.

How to Attract AI Bots to Your Open Source Project

A practical guide to getting the engagement your project deserves.

Package Manager Mirroring

Every mirroring tool I could find, and the protocols underneath them.

The Fragmented World of Dependency Policy

Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

Git Remote Helpers

Git can talk to anything if you write the right helper.

Guided Meditation for Developers

A practice for finding peace in your dependency tree.

What's Going On with FAIR Package Manager

Federated FAIR pivots from WordPress to TYPO3

Forge

A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.

Reviewing ENISA's Package Manager Advisory

Notes on ENISA's Technical Advisory for Secure Use of Package Managers.

git-pkgs/actions

How to add git-pkgs to your GitHub Actions workflows.

Just Use Postgres

Taking 'just use Postgres' to its logical endpoint: git push to deploy into a single Postgres process.

100 Posts

This is post number 100.

If It Quacks Like a Package Manager

Some tools waddle like package managers without learning to swim.

Announcing New Working Groups

The Open Source Foundations Consortium announces seven new working groups.

.gitlocal

Git Should Let Files Ignore Themselves

Package Manager Magic Files

Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.

Package Managers Need to Cool Down

A survey of dependency cooldown support across package managers and update tools.

Package Management is Naming All the Way Down

There are two hard problems in computer science, and package managers found at least eight of them.

Transitive Trust

You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?

Downstream Testing

Most library maintainers have no way to test against their dependents before releasing.