March 2026

All posts

npm's Defaults Are Bad

Mar 31, 2026

The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.

Git Diff Drivers

Mar 30, 2026

What git's diff drivers can do, from built-in language support to custom textconv filters.

The Roles of Packages

Mar 29, 2026

Applying Sajaniemi's roles of variables to packages across every kind of package manager.

The Top 10 Biggest Conspiracies in Open Source

Mar 25, 2026

I'm not connecting these dots. I'm just pointing out that the dots are there.

How to Attract AI Bots to Your Open Source Project

Mar 21, 2026

A practical guide to getting the engagement your project deserves.

Package Manager Mirroring

Mar 20, 2026

Every mirroring tool I could find, and the protocols underneath them.

The Fragmented World of Dependency Policy

Mar 19, 2026

Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

Git Remote Helpers

Mar 18, 2026

Git can talk to anything if you write the right helper.

Guided Meditation for Developers

Mar 15, 2026

A practice for finding peace in your dependency tree.

What's Going On with FAIR Package Manager

Mar 14, 2026

Federated FAIR pivots from WordPress to TYPO3

Forge

Mar 13, 2026

A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.

Reviewing ENISA's Package Manager Advisory

Mar 12, 2026

Notes on ENISA's Technical Advisory for Secure Use of Package Managers.

git-pkgs/actions

Mar 11, 2026

How to add git-pkgs to your GitHub Actions workflows.

Just Use Postgres

Mar 10, 2026

Taking 'just use Postgres' to its logical endpoint: git push to deploy into a single Postgres process.

100 Posts

Mar 9, 2026

This is post number 100.

If It Quacks Like a Package Manager

Mar 8, 2026

Some tools waddle like package managers without learning to swim.

Announcing New Working Groups

Mar 7, 2026

The Open Source Foundations Consortium announces seven new working groups.

.gitlocal

Mar 6, 2026

Git Should Let Files Ignore Themselves

Package Manager Magic Files

Mar 5, 2026

Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.

Package Managers Need to Cool Down

Mar 4, 2026

A survey of dependency cooldown support across package managers and update tools.

Package Management is Naming All the Way Down

Mar 3, 2026

There are two hard problems in computer science, and package managers found at least eight of them.

Transitive Trust

Mar 2, 2026

You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?

Downstream Testing

Mar 1, 2026

Most library maintainers have no way to test against their dependents before releasing.