Everything I've written about package managers, organized by type.

Reference

Categorizing Package Manager Clients — Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
Categorizing Package Registries — Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Dependency Resolution Methods — A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
Documenting Package Manager Data — Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
From ZeroVer to SemVer: A List of Versioning Schemes in Open Source — A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
Package Management Blog Posts — Blog posts, talks, and essays that changed how people think about dependency management.
Package Management Papers — A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
Package Manager Design Tradeoffs — Design tradeoffs in package managers
Package Manager Glossary — A cross-ecosystem glossary of package management terms.
Package Manager People — People who built, maintain, or research package managers.
Package Manager Podcast Episodes — A reference list of podcast episodes about package managers, grouped by ecosystem.
Package Manager Timeline — A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
The Package Management Landscape — A directory of tools, systems, and services that relate to package management.
What is a Package Manager? — What is a package manager? Perhaps quite a few more components than you might think

Ideas

A Jepsen Test for Package Managers — Applying Jepsen-style adversarial testing to package managers.
A Protocol for Package Management — A shared vocabulary for resolution, publishing, and governance across ecosystems.
Could lockfiles just be SBOMs? — Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Cursed Bundler: Using go get to install Ruby Gems — Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package Management is a Wicked Problem — Why fixing package managers is harder than it looks.
PkgFed: ActivityPub for Package Releases — Follow [email protected] from your Mastodon account
Separating Download from Install in Docker Builds — Most package managers could separate download from install for better Docker layer caching.
The Dependency Layer in Digital Sovereignty — Where package management fits in the digital sovereignty discussion.
Zig and the M×N Supply Chain Problem — Zig's long road to supply chain security.
importmap.lock: a lockfile for the web — Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.

Deep dives

Crates.io's Freaky Friday — What happens when Rust's package registry wakes up with Debian's design choices?
Docker is the Lockfile for System Packages — Why Docker filled the reproducibility gap that system package managers left open
Federated Package Management and the Zooko Triangle — The trade-offs that make decentralized package management impractical
How Dependabot Actually Works — Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
How uv got so fast — uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Lockfile Format Design and Tradeoffs — Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Lockfiles Killed Vendoring — Why almost nobody vendors their dependencies anymore.
Package Registries Are Governance Providers — Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Package managers keep using git as a database, it never works out — Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
Platform Strings — An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
The C-Shaped Hole in Package Management — System package managers and language package managers are solving different problems that happen to overlap in the middle.
The Compact Index: How Bundler Scales Dependency Resolution — The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
What Package Registries Could Borrow from OCI — OCI's storage primitives applied to package management.
Where Do Specifications Fit in the Dependency Tree? — RFC 9110 is a phantom dependency with thousands of transitive dependents.
Why JavaScript Needed Docker — How Docker became JavaScript's real lockfile
Will AI Make Package Managers Redundant? — Following the prompt registry idea to its logical conclusion.
Workspaces and Monorepos in Package Managers — How various package managers implement workspaces and their relationship with monorepos.

Tools

An AI Skill for Skeptical Dependency Management — A skill that makes Claude Code evaluate packages before suggesting them.
Community Tools Bring Lockfile Support to GitHub Actions — Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Go Modules for Package Management Tooling — The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
Making git-pkgs feel like Git — What it takes to make a git subcommand feel native.
Revisiting Gitballs — Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Rewriting git-pkgs in Go — The dependency history tool is now a single Go binary.
Supply Chain Security Tools for Ruby — Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
brew-vulns: CVE scanning for Homebrew — A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
git-pkgs: explore your dependency history — A git subcommand to explore the dependency history of your repositories.

Security

How to Ruin All of Package Management — Attach financial incentives to open source metrics and watch the spam flood in.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Package Management at FOSDEM 2026 — Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Reproducible Builds in Language Package Managers — Verifying that a published package was actually built from the source it claims.
Slopsquatting meets Dependency Confusion — LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Typosquatting in Package Managers — A reference guide to typosquatting techniques, real-world examples, and detection tools.

Satire

16 Best Practices for Reducing Dependabot Noise — A practical guide to ignoring security updates responsibly
CHANGELOG.md — All notable changes to the math module will be documented in this file.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Introducing Package Chaos Monkey — Resilience engineering for your software supply chain.
PromptVer — A semver-compatible versioning scheme for the age of LLMs.
Sandwich Bill of Materials — SBOM 1.0: A specification for sandwich supply chain transparency.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness — You are not paid to find good options. You are paid to choose.
The Nine Levels of JavaScript Dependency Hell — Come, I will show you what I have seen.

Everything else

GitHub Actions Has a Package Manager, and It Might Be the Worst — GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
How I Assess Open Source Libraries — What I actually look at when deciding whether to adopt a dependency.
Package Management Consulting — I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
Package Management Namespaces — Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
Package Managers Devroom at FOSDEM 2026: Schedule Announced — Nine talks on supply chain security, dependency resolution, and registry economics
Why I'm Fascinated by Package Management — From gaming magazine CDs to dependency graphs