Everything I've written about package managers, organized by type.

Reference

Categorizing Package Manager Clients — Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
Categorizing Package Registries — Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Dependency Resolution Methods — A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
Documenting Package Manager Data — Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
From ZeroVer to SemVer: A List of Versioning Schemes in Open Source — A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
Package Management Blog Posts — Blog posts, talks, and essays that changed how people think about dependency management.
Package Management Papers — A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
Package Manager Design Tradeoffs — Design tradeoffs in package managers
Package Manager Easter Eggs — A tour of the easter eggs hiding inside package managers.
Package Manager Glossary — A cross-ecosystem glossary of package management terms.
Package Manager Magic Files — Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.
Package Manager Mirroring — Every mirroring tool I could find, and the protocols underneath them.
Package Manager People — People who built, maintain, or research package managers.
Package Manager Podcast Episodes — A reference list of podcast episodes about package managers, grouped by ecosystem.
Package Manager Timeline — A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
Package Security Problems for AI Agents — Packages all the way down, agents all the way up.
The Package Management Landscape — A directory of tools, systems, and services that relate to package management.
What is a Package Manager? — What is a package manager? Perhaps quite a few more components than you might think

Ideas

A Jepsen Test for Package Managers — Applying Jepsen-style adversarial testing to package managers.
A Protocol for Package Management — A shared vocabulary for resolution, publishing, and governance across ecosystems.
Could lockfiles just be SBOMs? — Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Cursed Bundler: Using go get to install Ruby Gems — Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package Management is a Wicked Problem — Why fixing package managers is harder than it looks.
PkgFed: ActivityPub for Package Releases — Follow [email protected] from your Mastodon account
Separating Download from Install in Docker Builds — Most package managers could separate download from install for better Docker layer caching.
The Dependency Layer in Digital Sovereignty — Where package management fits in the digital sovereignty discussion.
Zig and the M×N Supply Chain Problem — Zig's long road to supply chain security.
importmap.lock: a lockfile for the web — Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.

Deep dives

Crates.io's Freaky Friday — What happens when Rust's package registry wakes up with Debian's design choices?
Docker is the Lockfile for System Packages — Why Docker filled the reproducibility gap that system package managers left open
Federated Package Management and the Zooko Triangle — The trade-offs that make decentralized package management impractical
How Dependabot Actually Works — Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
How uv got so fast — uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
If It Quacks Like a Package Manager — Some tools waddle like package managers without learning to swim.
Lockfile Format Design and Tradeoffs — Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Lockfiles Killed Vendoring — Why almost nobody vendors their dependencies anymore.
Package Management is Naming All the Way Down — There are two hard problems in computer science, and package managers found at least eight of them.
Package Managers Need to Cool Down — A survey of dependency cooldown support across package managers and update tools.
Package Registries Are Governance Providers — Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Package managers keep using git as a database, it never works out — Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
Platform Strings — An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
The C-Shaped Hole in Package Management — System package managers and language package managers are solving different problems that happen to overlap in the middle.
The Compact Index: How Bundler Scales Dependency Resolution — The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
The Roles of Packages — Applying Sajaniemi's roles of variables to packages across every kind of package manager.
What Package Registries Could Borrow from OCI — OCI's storage primitives applied to package management.
What's Going On with FAIR Package Manager — Federated FAIR pivots from WordPress to TYPO3
Where Do Specifications Fit in the Dependency Tree? — RFC 9110 is a phantom dependency with thousands of transitive dependents.
Why JavaScript Needed Docker — How Docker became JavaScript's real lockfile
Will AI Make Package Managers Redundant? — Following the prompt registry idea to its logical conclusion.
Workspaces and Monorepos in Package Managers — How various package managers implement workspaces and their relationship with monorepos.

Tools

An AI Skill for Skeptical Dependency Management — A skill that makes Claude Code evaluate packages before suggesting them.
Community Tools Bring Lockfile Support to GitHub Actions — Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Go Modules for Package Management Tooling — The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
Making git-pkgs feel like Git — What it takes to make a git subcommand feel native.
Revisiting Gitballs — Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Rewriting git-pkgs in Go — The dependency history tool is now a single Go binary.
Supply Chain Security Tools for Ruby — Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
brew-vulns: CVE scanning for Homebrew — A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
git-pkgs: explore your dependency history — A git subcommand to explore the dependency history of your repositories.

Security

How to Ruin All of Package Management — Attach financial incentives to open source metrics and watch the spam flood in.
If It Quacks Like a Package Manager — Some tools waddle like package managers without learning to swim.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Package Management at FOSDEM 2026 — Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Package Managers Need to Cool Down — A survey of dependency cooldown support across package managers and update tools.
Package Security Defenses for AI Agents — Lockfiles, sandboxes, and cooldown timers.
Package Security Problems for AI Agents — Packages all the way down, agents all the way up.
Reproducible Builds in Language Package Managers — Verifying that a published package was actually built from the source it claims.
Reviewing ENISA's Package Manager Advisory — Notes on ENISA's Technical Advisory for Secure Use of Package Managers.
Slopsquatting meets Dependency Confusion — LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Transitive Trust — You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?
Typosquatting in Package Managers — A reference guide to typosquatting techniques, real-world examples, and detection tools.
Who Built This? — Tracing a dependency back to its source commit.
npm's Defaults Are Bad — The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.

Satire

16 Best Practices for Reducing Dependabot Noise — A practical guide to ignoring security updates responsibly
CHANGELOG.md — All notable changes to the math module will be documented in this file.
Guided Meditation for Developers — A practice for finding peace in your dependency tree.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Introducing Package Chaos Monkey — Resilience engineering for your software supply chain.
PromptVer — A semver-compatible versioning scheme for the age of LLMs.
Sandwich Bill of Materials — SBOM 1.0: A specification for sandwich supply chain transparency.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness — You are not paid to find good options. You are paid to choose.
The Nine Levels of JavaScript Dependency Hell — Come, I will show you what I have seen.
npm Data Subject Access Request — A response to a GDPR data subject access request.

Everything else

Common Package Specification — Not the cross-ecosystem format the name suggests.
Downstream Testing — Most library maintainers have no way to test against their dependents before releasing.
GitHub Actions Has a Package Manager, and It Might Be the Worst — GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
How I Assess Open Source Libraries — What I actually look at when deciding whether to adopt a dependency.
Package Management Consulting — I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
Package Management Namespaces — Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
Package Managers Devroom at FOSDEM 2026: Schedule Announced — Nine talks on supply chain security, dependency resolution, and registry economics
Package Registries and Pagination — 100MB of metadata for 10,451 versions.
Standing on the shoulders of Homebrew — Rewriting the easy parts of Homebrew.
The Fragmented World of Dependency Policy — Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.
Why I'm Fascinated by Package Management — From gaming magazine CDs to dependency graphs