I’m Andrew Nesbitt. I’ve spent the last decade thinking about package management.

I’m available for consulting on package management, software supply chain security, and open source infrastructure. I’ve worked at GitHub and Tidelift, and contributed to working groups at Alpha-Omega, OpenSSF, CycloneDX, and CHAOSS. More about consulting services.

Package managers are the invisible plumbing of modern software. Millions of developers share code through these systems, trusting that dependencies will resolve, versions will be compatible, and the packages they install are what they claim to be. Most of the time it works. When it doesn’t, things break in ways that ripple across the entire ecosystem. I find this coordination problem endlessly interesting.

I’ve been putting together a collection of reference materials and deep dives on package managers, covering how dependency resolution works, the tradeoffs different ecosystems make, and the people who build these systems.

My main project is Ecosyste.ms, a set of open APIs and datasets tracking over 11 million packages, 260 million repositories, and 22 billion dependencies. I built it because understanding software supply chains requires data that didn’t exist in one place. Now researchers use it to study ecosystem health, funders use it to find critical projects that need support, and security teams use it to understand blast radius when vulnerabilities appear.

I’m also developing git-pkgs, a git subcommand that makes your dependency history searchable. It traces who added each package and when, across 30+ ecosystems.

I’ve also published Ruby implementations of the specs that supply chain security tooling depends on: purl, vers, sbom, swhid, changelog-parser, and diffoscope.

Before Ecosyste.ms I built Libraries.io, which ran for about seven years. It started as a discovery tool for finding libraries, but over time I realized the more interesting problem was the dependency graph underneath. Tracking how packages depend on each other across ecosystems taught me how different package managers solve the same problems in different ways, and how much hidden complexity exists in the systems developers take for granted. Ecosyste.ms is what I built once I understood what I actually wanted to know.

I co-hosted The Manifest, a podcast where we interviewed the people who build and maintain package managers. It’s been on hiatus for a while, but across fifty-plus episodes we talked to maintainers from npm, RubyGems, Cargo, pip, Homebrew, and plenty of others. Those conversations shaped how I think about the tradeoffs these systems make and why different ecosystems evolved the way they did.

I co-organize the Package Management devroom at FOSDEM, where package manager maintainers from across ecosystems present their work and compare notes. I’m also part of the CHAOSS Package Metadata Working Group, where we’re documenting how package managers work: commands, manifest formats, APIs, and the metadata they expose.

Some of my other notable open source projects:

  • node-sass - Node.js bindings to libsass, now deprecated. Over 1.3 billion downloads.
  • Split - A/B testing framework for Ruby. Nearly 9 million gem downloads.
  • Octobox - A better way to manage GitHub notifications. Almost 2 million Docker pulls.
  • Homebrew Bundle - Bundler-style dependency management for Homebrew, now part of Homebrew core.
  • 24 Pull Requests - An advent calendar for open source contributions, running every December since 2012. One of the first projects of its kind, with 239 contributors.

I’m based in the UK and have been part of the Ruby community here for years, speaking at Brighton Ruby, Bath Ruby, and meetups around Bristol. When I’m not thinking about dependencies, I’m usually at a track day in my turbocharged Subaru BRZ.

You can find me on GitHub and Mastodon. I’m also on Bluesky and Twitter but rarely check either.

If you want to chat about package management, open source sustainability, or have me on your podcast, email me at [email protected].