June 2026

All posts

Taking Roads and Bridges literally

Reflections on UN Open Source Week 2026

Unbundling the standard library

Batteries no longer included, available separately on aisle four

This Week in Package Management: 27 June 2026

Releases, advisories, and articles from across the package management world

Incident Report: CVE-2026-LGTM

A series of unfortunate agents.

Scrutineer: scanning open source without flooding maintainers

Finding the vulnerabilities is the easy part

Sunsetting a Package Manager

A frozen registry is the one place a package can never be patched again.

This Week in Package Management: 20 June 2026

Releases, advisories, and articles from across the package management world

Open Source vs the Invisible Hand

Ten million downloads a week, one maintainer, zero dollars.

How Open Source Projects Change Hands

There are fewer ways to leave your package than to kill it.

This Week in Package Management: 13 June 2026

Releases, advisories, and articles from across the package management world

Joint Guidance on Vulnerability Naming and Disclosure

Every named CVE now ships with a single-page site at .vuln.

What Happened to tea.xyz

Reading the tea leaves

Forms of Open Source Government

Open source has more forms of government than countries do.

Package Manager Patents

A reference list of patents and applications relevant to package manager design, with notes on prior art.

This Week in Package Management: 6 June 2026

Releases, advisories, and articles from across the package management world

Install-script allowlists

A survey of install-script allowlist mechanisms across package managers and language ecosystems.

gittuf - a signed log for git refs

Branch protection is a row in someone else's database

Skills Registry Threat Models

How long until we see a CVE filed against a markdown file?

The Infosec Phrasebook

a/s/l/threat model?