May 2026

All posts

This Week in Package Management: 30 May 2026

May 30, 2026

Releases, advisories, and articles from across the package management world

Composer's dependency policies

May 29, 2026

uBlock Origin for composer install

Protestware for coding agents

May 28, 2026

printMessageForCodingAgents()

Package managers that package package managers

May 28, 2026

brew install spack install conda install cargo install uv tool install pip install poetry add pdm add conan

CHAOSS Metrics in 2026

May 27, 2026

CHAOSS metrics were calibrated for human-speed contribution

GitHub Actions security in Python packages

May 25, 2026

Thank you Dr. Zizmor

Signing is for the bad days

May 24, 2026

TUF, in-toto, and Sigstore only look pointless while nothing is on fire

This Week in Package Management: 23 May 2026

May 23, 2026

Releases, advisories, and articles from across the package management world

Dependency Pruning

May 22, 2026

A survey of unused-dependency detectors

RFC: Artificial Contributors to Open Source

May 21, 2026

Intended status: Best Current Practice.

Dumb Ways for an Open Source Project to Die

May 19, 2026

How your dependencies became Bernies

Language Registries Are Unstable by Default

May 15, 2026

apt install -t unstable, but make it your whole personality

Centrality is not vitality

May 14, 2026

Don't automatically reach for PageRank on dependency graphs

Showing Our Work

May 13, 2026

An independent benchmark of the ecosyste.ms Python fund

Not a Security Issue

May 12, 2026

How curl's disclosure policy filtered an AI scanner's findings at source

proxy

May 11, 2026

A lightweight multi-ecosystem caching package proxy

Madame Semver Will See You Now

May 10, 2026

The cards do not lie.

The Mismeasure of Open Source

May 9, 2026

The streetlight effect in project-health scoring

Weekend at Bernie's

May 8, 2026

Which of your dependencies are wearing sunglasses

Free as in Tribbles

May 7, 2026

The next metaphor after free-as-in-puppy

Revisiting the 2015 Open Source Census

May 6, 2026

The riskiest projects in open source, scored a decade early

Package Manager Threat Models

May 5, 2026

The non-CVE half of package manager security

Package Manager CWEs

May 4, 2026

Recurring weakness classes in package managers

A GitHub for maintainers

May 2, 2026

Giving dependencies the same treatment the fork got

Patching and forking in package managers

May 1, 2026

What to do when upstream ghosts you