June 2026
Taking Roads and Bridges literally
Reflections on UN Open Source Week 2026
Unbundling the standard library
Batteries no longer included, available separately on aisle four
This Week in Package Management: 27 June 2026
Releases, advisories, and articles from across the package management world
Incident Report: CVE-2026-LGTM
A series of unfortunate agents.
Scrutineer: scanning open source without flooding maintainers
Finding the vulnerabilities is the easy part
Sunsetting a Package Manager
A frozen registry is the one place a package can never be patched again.
This Week in Package Management: 20 June 2026
Releases, advisories, and articles from across the package management world
Open Source vs the Invisible Hand
Ten million downloads a week, one maintainer, zero dollars.
How Open Source Projects Change Hands
There are fewer ways to leave your package than to kill it.
This Week in Package Management: 13 June 2026
Releases, advisories, and articles from across the package management world
Joint Guidance on Vulnerability Naming and Disclosure
Every named CVE now ships with a single-page site at .vuln.
What Happened to tea.xyz
Reading the tea leaves
Forms of Open Source Government
Open source has more forms of government than countries do.
Package Manager Patents
A reference list of patents and applications relevant to package manager design, with notes on prior art.
This Week in Package Management: 6 June 2026
Releases, advisories, and articles from across the package management world
Install-script allowlists
A survey of install-script allowlist mechanisms across package managers and language ecosystems.
gittuf - a signed log for git refs
Branch protection is a row in someone else's database
Skills Registry Threat Models
How long until we see a CVE filed against a markdown file?
The Infosec Phrasebook
a/s/l/threat model?