Independent developer and open source infrastructure specialist with 20 years of experience. Creator of Libraries.io and Ecosyste.ms. Building open data and open tooling for software dependency intelligence across package ecosystems.

Projects

Ecosyste.ms (2022–present) – Open data platform for software ecosystem intelligence, tracking packages, repositories, and dependency relationships across every major package ecosystem. Funded by Schmidt Futures. Serves billions of API requests annually on infrastructure costing under EUR 1k/month.

git-pkgs (2025–present) – Suite of Go libraries and CLI tools for dependency analysis at the git layer. Parses manifests across 25+ ecosystems, generates SBOMs, and scans for vulnerabilities. Working integration with Forgejo demonstrated at FOSDEM 2026.

Libraries.io (2014–2018) – First cross-ecosystem package monitoring platform, tracking dependencies across 30+ package managers. Acquired by Tidelift in 2018.

24 Pull Requests (2012–present) – Advent calendar for open source contributions, running every December since 2012.

Octobox (2016–present) – Open source GitHub notification management tool.

Employment

GitHub (2013–2014) – Software engineer.

Tidelift (2017–2018) – Continued Libraries.io development post-acquisition. Package ecosystem data and maintainer tooling.

Consulting

Alpha-Omega / OpenSSF (2025–present) – Open source supply chain security infrastructure. git-pkgs tooling and Forgejo integration work.

Traces.com (2025–present) – CLI and infrastructure tooling for coding agent trace platform.

Speaking and community

Co-organiser of the FOSDEM Package Management devroom (2025, 2026). Speaker at FOSS Backstage, PackagingCon, Open Source Summit, RubyConf, and Brighton Ruby.

Co-host of The Manifest podcast, 16 episodes interviewing package manager maintainers.

Writing

nesbitt.io – 113 posts and over 163,000 words covering package management internals, supply chain security, and open source ecosystem dynamics. Multiple posts featured on Hacker News front page.

Standards and working groups

Contributor to CycloneDX, CHAOSS, OpenSSF, and CNCF TAG Security. Implemented purl, vers, SPDX, and CycloneDX standards in production.

Technical skills

Go, Ruby. Package manifest parsing, dependency resolution, and vulnerability matching across 25+ ecosystems. Large-scale data infrastructure. Supply chain standards (purl, vers, SPDX, CycloneDX). Open source sustainability.