Everything I've written about package managers, organized by type.
Reference
Categorizing Package Manager Clients — Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
Categorizing Package Registries — Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Documenting Package Manager Data — Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
From ZeroVer to SemVer: A List of Versioning Schemes in Open Source — A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
Package Management Blog Posts — Blog posts, talks, and essays that changed how people think about dependency management.
Package Management Papers — A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
Package Manager Design Tradeoffs — Design tradeoffs in package managers
Package Manager Glossary — A cross-ecosystem glossary of package management terms.
Package Manager Timeline — A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
The Package Management Landscape — A directory of tools, systems, and services that relate to package management.
What is a Package Manager? — What is a package manager? Perhaps quite a few more components than you might think
Deep dives
Could lockfiles just be SBOMs? — Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Cursed Bundler: Using go get to install Ruby Gems — Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Docker is the Lockfile for System Packages — Why Docker filled the reproducibility gap that system package managers left open
Federated Package Management and the Zooko Triangle — The trade-offs that make decentralized package management impractical
GitHub Actions Has a Package Manager, and It Might Be the Worst — GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
How Dependabot Actually Works — Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
How uv got so fast — uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Package Registries Are Governance Providers — Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Package managers keep using git as a database, it never works out — Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
The Compact Index: How Bundler Scales Dependency Resolution — The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
Why JavaScript Needed Docker — How Docker became JavaScript's real lockfile
Tools
Community Tools Bring Lockfile Support to GitHub Actions — Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Making git-pkgs feel like Git — What it takes to make a git subcommand feel native.
Revisiting Gitballs — Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Supply Chain Security Tools for Ruby — Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
brew-vulns: CVE scanning for Homebrew — A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
git-pkgs: explore your dependency history — A git subcommand to explore the dependency history of your repositories.
Security
How to Ruin All of Package Management — Attach financial incentives to open source metrics and watch the spam flood in.
Slopsquatting meets Dependency Confusion — LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Typosquatting in Package Managers — A reference guide to typosquatting techniques, real-world examples, and detection tools.
Satire
16 Best Practices for Reducing Dependabot Noise — A practical guide to ignoring security updates responsibly
PromptVer — A semver-compatible versioning scheme for the age of LLMs.
The Nine Levels of JavaScript Dependency Hell — Come, I will show you what I have seen.
Everything else
How I Assess Open Source Libraries — What I actually look at when deciding whether to adopt a dependency.
Package Managers Devroom at FOSDEM 2026: Schedule Announced — Nine talks on supply chain security, dependency resolution, and registry economics
Why I'm Fascinated by Package Management — From gaming magazine CDs to dependency graphs