May 2026

Language Registries Are Unstable by Default

May 15, 2026

apt install -t unstable, but make it your whole personality

Centrality is not vitality

May 14, 2026

Don't automatically reach for PageRank on dependency graphs

Showing Our Work

May 13, 2026

An independent benchmark of the ecosyste.ms Python fund

Not a Security Issue

May 12, 2026

How curl's disclosure policy filtered an AI scanner's findings at source

proxy

May 11, 2026

A lightweight multi-ecosystem caching package proxy

Madame Semver Will See You Now

May 10, 2026

The cards do not lie.

The Mismeasure of Open Source

May 9, 2026

The streetlight effect in project-health scoring

Weekend at Bernie's

May 8, 2026

Which of your dependencies are wearing sunglasses

Free as in Tribbles

May 7, 2026

The next metaphor after free-as-in-puppy

Revisiting the 2015 Open Source Census

May 6, 2026

The riskiest projects in open source, scored a decade early

Package Manager Threat Models

May 5, 2026

The non-CVE half of package manager security

Package Manager CWEs

May 4, 2026

Recurring weakness classes in package managers

A GitHub for maintainers

May 2, 2026

Giving dependencies the same treatment the fork got

Patching and forking in package managers

May 1, 2026

What to do when upstream ghosts you