2026
Lockfile Format Design and Tradeoffs
Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
Package Manager People
People who built, maintain, or research package managers.
Package Manager Glossary
A cross-ecosystem glossary of package management terms.
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
Package Management Blog Posts
Blog posts, talks, and essays that changed how people think about dependency management.
brew-vulns: CVE scanning for Homebrew
A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
The Nine Levels of JavaScript Dependency Hell
Come, I will show you what I have seen.
Making git-pkgs feel like Git
What it takes to make a git subcommand feel native.
The Package Management Landscape
A directory of tools, systems, and services that relate to package management.
How Dependabot Actually Works
Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
git-pkgs: explore your dependency history
A git subcommand to explore the dependency history of your repositories.
2025
Open Source Activity in 2025
A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
Community Tools Bring Lockfile Support to GitHub Actions
Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
Categorizing Package Registries
Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
Categorizing Package Manager Clients
Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
The Compact Index: How Bundler Scales Dependency Resolution
The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
How to Ruin All of Package Management
Attach financial incentives to open source metrics and watch the spam flood in.
How uv got so fast
uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
Cursed Bundler: Using go get to install Ruby Gems
Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
Package managers keep using git as a database, it never works out
Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
Could lockfiles just be SBOMs?
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Package Registries Are Governance Providers
Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
Jekyll Stats Plugin
A Jekyll plugin that adds a stats command to show word counts, reading time, posting frequency, and tag distributions.
Federated Package Management and the Zooko Triangle
The trade-offs that make decentralized package management impractical
Package Managers Devroom at FOSDEM 2026: Schedule Announced
Nine talks on supply chain security, dependency resolution, and registry economics
Why JavaScript Needed Docker
How Docker became JavaScript's real lockfile
Docker is the Lockfile for System Packages
Why Docker filled the reproducibility gap that system package managers left open
Typosquatting in Package Managers
A reference guide to typosquatting techniques, real-world examples, and detection tools.
How I Assess Open Source Libraries
What I actually look at when deciding whether to adopt a dependency.
Supply Chain Security Tools for Ruby
Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
Building Ecosyste.ms Polite API Rate Limits
Tiered rate limiting that rewards good citizenship: API keys, polite users, and everyone else.
Slopsquatting meets Dependency Confusion
LLMs can leak internal package names, making dependency confusion attacks easier to scale.
Why I'm Fascinated by Package Management
From gaming magazine CDs to dependency graphs
GitHub Actions Has a Package Manager, and It Might Be the Worst
GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
Package Manager Design Tradeoffs
Design tradeoffs in package managers
What is a Package Manager?
What is a package manager? Perhaps quite a few more components than you might think
PromptVer
A semver-compatible versioning scheme for the age of LLMs.
Documenting Package Manager Data
Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
A Taxonomy for Open Source Software
I'm working on a structured taxonomy for classifying open source projects across multiple dimensions: domain, role, technology, audience, layer, and function.
Revisiting Gitballs
Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
Community Benchmarks for AI Coding Tools
AI coding benchmarks are heavily skewed toward Python and JavaScript. Framework maintainers could change that by defining what good code looks like in their ecosystems.
Extending Git Functionality
A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.
Podcast Interviews 2025
A collection of podcast interviews discussing ecosyste.ms, open source metadata, package management, and software sustainability.
Package Manager Timeline
A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
Package Management Papers
A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
2024
From ZeroVer to SemVer: A List of Versioning Schemes in Open Source
A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
2023
Ecosyste.ms 2023 End of Year Update
Wrapping up what we've been up to over the past year on https://ecosyste.ms
2018
Making 24 Pull Requests more inclusive for 2018
24 Pull Requests is back for it's 6th year and this time we're making it more inclusive to all kinds of contributions.
Untangle your GitHub Notifications with Octobox
Octobox helps you manage your GitHub notifications in the same way Gmail helps you with email, it's now available on the GitHub Marketplace.
2017
What does a sustainable open source project look like?
What a successful, sustainable open source project looks like, the work people do on it, and the community it needs.
Exploring Unseen Open Source Infrastructure
Highly used open source libraries that have almost no stars or attention on GitHub.