I’ve written integrations for dozens of package managers, tracked billions of dependency relationships, and watched the same design mistakes repeat across ecosystems for a decade. That pattern recognition is what I bring to consulting engagements. I help you avoid the mistakes that cost other registries years of technical debt.

Available for consulting on package management, software supply chain security, and open source infrastructure. Email [email protected] or find me on Mastodon.

Over fifteen years I’ve built Libraries.io, Ecosyste.ms, git-pkgs, the Manifest podcast, co-organised the Package Management devroom at FOSDEM, and contributed to Homebrew. All from the same obsession: understanding how software gets assembled from other people’s software.

What I can help with

Package manager design & architecture. If you’re building a package manager, registry, or dependency resolver, or trying to fix one, I can help you avoid the mistakes that RubyGems, npm, and PyPI learned the hard way. I’ve documented the design patterns, tradeoffs, and failure modes across dozens of ecosystems in my cross-ecosystem package manager documentation. Namespace design, version constraint semantics, lockfile formats, registry APIs, lifecycle hooks, trust models.

Software supply chain security. I’ve found and catalogued dependency confusion attacks, typosquatting campaigns, slopsquatting (a term I popularized), malicious maintainer takeovers, and protestware incidents across every major ecosystem. Trusted publishing, SBOM generation and enrichment, vulnerability scanning strategy. I know what actually works and what’s security theatre.

Package management governance. Registries aren’t just technical systems. They make political choices about naming, ownership, deletion, and dispute resolution. I contribute to Alpha-Omega, OpenSSF, CycloneDX, and CHAOSS working groups. Whether you’re a registry operator designing policies, a foundation setting ecosystem standards, or a company navigating the governance landscape of your dependencies, I can help.

Open source ecosystem intelligence. Ecosyste.ms tracks 13+ million packages across 50+ registries, 290 million repositories, and 24 billion dependencies, the largest public dependency graph available. I can help you understand your dependency landscape, identify critical infrastructure in your supply chain, or build tooling on top of this data.

Internal dependency strategy. For enterprise teams: audit your dependency practices, evaluate package manager choices, design internal registry architecture, set procurement policies, or build a supply chain security programme from scratch.

Open source strategy. I’ve built and maintained open source for over fifteen years: octobox, node-sass, 24 Pull Requests, Split, and contributions to Homebrew. I’ve designed web applications that scale to millions of users. If you’re launching projects, building contributor communities, or making sustainability decisions, I’ve seen what works and what doesn’t.

Research & analysis. Guest lectures, technical reports, ecosystem comparisons, landscape surveys. I’ve presented at FOSDEM and NYU Secure Systems Lab, spoken at the Software Mentions in OpenAlex workshop, and contributed to research with Software Heritage, CHAOSS, and OpenSSF.

How it works

Typically an initial call to understand what you’re dealing with, then either a short engagement (a few days of focused work) or ongoing advisory. I’m flexible on structure.

I’m based in the UK and work remotely. I’ve worked at GitHub and Tidelift. Past clients include package registry operators, open source foundations (CHAOSS, OpenSSF), enterprise platform teams, and academic research groups (NYU, Software Heritage).

Get in touch: [email protected] or Mastodon.