Everything I've written about package managers, organized by type.

Reference

Categorizing Package Manager Clients — Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
Categorizing Package Registries — Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Dependency Resolution Methods — A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
Documenting Package Manager Data — Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
From ZeroVer to SemVer: A List of Versioning Schemes in Open Source — A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
Package Management Blog Posts — Blog posts, talks, and essays that changed how people think about dependency management.
Package Management Papers — A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
Package Manager Design Tradeoffs — Design tradeoffs in package managers
Package Manager Glossary — A cross-ecosystem glossary of package management terms.
Package Manager People — People who built, maintain, or research package managers.
Package Manager Podcast Episodes — A reference list of podcast episodes about package managers, grouped by ecosystem.
Package Manager Timeline — A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
The Package Management Landscape — A directory of tools, systems, and services that relate to package management.
What is a Package Manager? — What is a package manager? Perhaps quite a few more components than you might think

Ideas

A Jepsen Test for Package Managers — Applying Jepsen-style adversarial testing to package managers.
A Protocol for Package Management — A shared vocabulary for resolution, publishing, and governance across ecosystems.
Could lockfiles just be SBOMs? — Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Cursed Bundler: Using go get to install Ruby Gems — Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package Management is a Wicked Problem — Why fixing package managers is harder than it looks.
PkgFed: ActivityPub for Package Releases — Follow [email protected] from your Mastodon account
The Dependency Layer in Digital Sovereignty — Where package management fits in the digital sovereignty discussion.
Zig and the M×N Supply Chain Problem — Zig's long road to supply chain security.
importmap.lock: a lockfile for the web — Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.

Deep dives

Crates.io's Freaky Friday — What happens when Rust's package registry wakes up with Debian's design choices?
Docker is the Lockfile for System Packages — Why Docker filled the reproducibility gap that system package managers left open
Federated Package Management and the Zooko Triangle — The trade-offs that make decentralized package management impractical
GitHub Actions Has a Package Manager, and It Might Be the Worst — GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
How Dependabot Actually Works — Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
How uv got so fast — uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Lockfile Format Design and Tradeoffs — Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Package Registries Are Governance Providers — Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Package managers keep using git as a database, it never works out — Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
The C-Shaped Hole in Package Management — System package managers and language package managers are solving different problems that happen to overlap in the middle.
The Compact Index: How Bundler Scales Dependency Resolution — The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
Why JavaScript Needed Docker — How Docker became JavaScript's real lockfile
Will AI Make Package Managers Redundant? — Following the prompt registry idea to its logical conclusion.
Workspaces and Monorepos in Package Managers — How various package managers implement workspaces and their relationship with monorepos.

Tools

An AI Skill for Skeptical Dependency Management — A skill that makes Claude Code evaluate packages before suggesting them.
Community Tools Bring Lockfile Support to GitHub Actions — Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Making git-pkgs feel like Git — What it takes to make a git subcommand feel native.
Revisiting Gitballs — Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Rewriting git-pkgs in Go — The dependency history tool is now a single Go binary.
Supply Chain Security Tools for Ruby — Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
brew-vulns: CVE scanning for Homebrew — A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
git-pkgs: explore your dependency history — A git subcommand to explore the dependency history of your repositories.

Security

How to Ruin All of Package Management — Attach financial incentives to open source metrics and watch the spam flood in.
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Package Management at FOSDEM 2026 — Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
Slopsquatting meets Dependency Confusion — LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Typosquatting in Package Managers — A reference guide to typosquatting techniques, real-world examples, and detection tools.

Satire

16 Best Practices for Reducing Dependabot Noise — A practical guide to ignoring security updates responsibly
Incident Report: CVE-2024-YIKES — A series of unfortunate events.
Introducing Package Chaos Monkey — Resilience engineering for your software supply chain.
PromptVer — A semver-compatible versioning scheme for the age of LLMs.
Sandwich Bill of Materials — SBOM 1.0: A specification for sandwich supply chain transparency.
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness — You are not paid to find good options. You are paid to choose.
The Nine Levels of JavaScript Dependency Hell — Come, I will show you what I have seen.

Everything else

How I Assess Open Source Libraries — What I actually look at when deciding whether to adopt a dependency.
Package Managers Devroom at FOSDEM 2026: Schedule Announced — Nine talks on supply chain security, dependency resolution, and registry economics
Why I'm Fascinated by Package Management — From gaming magazine CDs to dependency graphs