# Andrew Nesbitt | Software Engineer and Package Management Nerd

> Markdown mirror of DialtoneApp's public top-site detail page for `nesbitt.io`.

URL: https://dialtoneapp.com/top-sites/nesbitt.io/index.md
Canonical HTML: https://dialtoneapp.com/top-sites/nesbitt.io

## Summary

- Domain: `nesbitt.io`
- Website: https://nesbitt.io
- Description: ai readable | score 16 | purchase read only
- Label: ai_readable
- Payment surface: Not available
- Purchase boundary: read_only
- Control boundary: unknown
- Rank: 458995

## robots

Not found.

## llms

~~~text
# Andrew Nesbitt

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

## Posts:

- [Exploring Unseen Open Source Infrastructure](/2017/02/24/exploring-unseen-open-source-infrastructure.html)
  Date: 2017-02-24
  Highly used open source libraries that have almost no stars or attention on GitHub.
  Tags: open-source, infrastructure, dependencies, github
- [What does a sustainable open source project look like?](/2017/11/10/what-does-a-sustainable-open-source-project-look-like.html)
  Date: 2017-11-10
  What a successful, sustainable open source project looks like, the work people do on it, and the community it needs.
- [Untangle your GitHub Notifications with Octobox](/2018/11/25/untangle-your-github-notifications-with-octobox.html)
  Date: 2018-11-25
  Octobox helps you manage your GitHub notifications in the same way Gmail helps you with email, it's now available on the GitHub Marketplace.
  Tags: ruby, github, open-source, productivity
- [Making 24 Pull Requests more inclusive for 2018](/2018/11/29/making-24-pull-requests-more-inclusive-for-2018.html)
  Date: 2018-11-29
  24 Pull Requests is back for it's 6th year and this time we're making it more inclusive to all kinds of contributions.
  Tags: open-source, challenge, christmas
- [Ecosyste.ms 2023 End of Year Update](/2023/12/21/2023-ecosystems-end-of-year-update.html)
  Date: 2023-12-21
  Wrapping up what we've been up to over the past year on https://ecosyste.ms
  Tags: open-source, ecosyste.ms, github
- [From ZeroVer to SemVer: A List of Versioning Schemes in Open Source](/2024/06/24/from-zerover-to-semver-a-comprehensive-list-of-versioning-schemes-in-open-source.html)
  Date: 2024-06-24
  A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
  Tags: versioning, open-source, software development, semver, package-managers, reference, history
- [Package Management Papers](/2025/11/13/package-management-papers.html)
  Date: 2025-11-13
  A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
  Tags: package-managers, research, dependencies, history, reference
- [Package Manager Timeline](/2025/11/15/package-manager-timeline.html)
  Date: 2025-11-15
  A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
  Tags: package-managers, history, dependencies, reference
- [Podcast Interviews 2025](/2025/11/17/podcast-interviews-2025.html)
  Date: 2025-11-17
  A collection of podcast interviews discussing ecosyste.ms, open source metadata, package management, and software sustainability.
  Tags: podcasts, ecosyste.ms, open-source, sustainability
- [Extending Git Functionality](/2025/11/26/extending-git-functionality.html)
  Date: 2025-11-26
  A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.
  Tags: git, tools, reference
- [Community Benchmarks for AI Coding Tools](/2025/11/27/community-benchmarks-for-ai-coding-tools.html)
  Date: 2025-11-27
  AI coding benchmarks are heavily skewed toward Python and JavaScript. Framework maintainers could change that by defining what good code looks like in their ecosystems.
  Tags: ai, open-source, benchmarks, maintainers
- [Revisiting Gitballs](/2025/11/28/revisiting-gitballs.html)
  Date: 2025-11-28
  Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
  Tags: open-source, package-managers, git, software heritage, tools
- [A Taxonomy for Open Source Software](/2025/11/29/oss-taxonomy.html)
  Date: 2025-11-29
  I'm working on a structured taxonomy for classifying open source projects across multiple dimensions: domain, role, technology, audience, layer, and function.
  Tags: open-source, metadata, taxonomy, ecosyste.ms
- [Documenting Package Manager Data](/2025/11/30/documenting-package-manager-data.html)
  Date: 2025-11-30
  Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
  Tags: open-source, package-managers, ecosyste.ms, reference
- [PromptVer](/2025/12/01/promptver.html)
  Date: 2025-12-01
  A semver-compatible versioning scheme for the age of LLMs.
  Tags: versioning, ai, semver, package-managers, satire
- [What is a Package Manager?](/2025/12/02/what-is-a-package-manager.html)
  Date: 2025-12-02
  What is a package manager? Perhaps quite a few more components than you might think
  Tags: package-managers, reference
- [Package Manager Design Tradeoffs](/2025/12/05/package-manager-tradeoffs.html)
  Date: 2025-12-05
  Design tradeoffs in package managers
  Tags: package-managers, rust, reference
- [GitHub Actions Has a Package Manager, and It Might Be the Worst](/2025/12/06/github-actions-package-manager.html)
  Date: 2025-12-06
  GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
  Tags: package-managers, github, git
- [Why I'm Fascinated by Package Management](/2025/12/09/why-im-fascinated-by-package-management.html)
  Date: 2025-12-09
  From gaming magazine CDs to dependency graphs
  Tags: package-managers
- [Slopsquatting meets Dependency Confusion](/2025/12/10/slopsquatting-meets-dependency-confusion.html)
  Date: 2025-12-10
  LLMs can leak internal package names, making dependency confusion attacks easier to scale.
  Tags: security, package-managers
- [Building Ecosyste.ms Polite API Rate Limits](/2025/12/11/building-ecosytems-polite-api-rate-limits.html)
  Date: 2025-12-11
  Tiered rate limiting that rewards good citizenship: API keys, polite users, and everyone else.
  Tags: ecosyste.ms, apisix
- [Supply Chain Security Tools for Ruby](/2025/12/14/supply-chain-security-tools-for-ruby.html)
  Date: 2025-12-14
  Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
  Tags: ruby, sbom, package-managers, tools
- [How I Assess Open Source Libraries](/2025/12/15/how-i-assess-open-source-libraries.html)
  Date: 2025-12-15
  What I actually look at when deciding whether to adopt a dependency.
  Tags: open-source, package-managers, dependencies
- [Typosquatting in Package Managers](/2025/12/17/typosquatting-in-package-managers.html)
  Date: 2025-12-17
  A reference guide to typosquatting techniques, real-world examples, and detection tools.
  Tags: security, package-managers
- [Docker is the Lockfile for System Packages](/2025/12/18/docker-is-the-lockfile-for-system-packages.html)
  Date: 2025-12-18
  Why Docker filled the reproducibility gap that system package managers left open
  Tags: package-managers, docker, deep-dive
- [Why JavaScript Needed Docker](/2025/12/19/why-javascript-needed-docker.html)
  Date: 2025-12-19
  How Docker became JavaScript's real lockfile
  Tags: package-managers, npm, docker, deep-dive
- [Package Managers Devroom at FOSDEM 2026: Schedule Announced](/2025/12/20/fosdem-2026-package-managers-devroom-schedule.html)
  Date: 2025-12-20
  Nine talks on supply chain security, dependency resolution, and registry economics
  Tags: package-managers, fosdem, conferences
- [Federated Package Management and the Zooko Triangle](/2025/12/21/federated-package-management.html)
  Date: 2025-12-21
  The trade-offs that make decentralized package management impractical
  Tags: package-managers, deep-dive
- [Jekyll Stats Plugin](/2025/12/21/jekyll-stats-plugin.html)
  Date: 2025-12-21
  A Jekyll plugin that adds a stats command to show word counts, reading time, posting frequency, and tag distributions.
  Tags: open-source, ruby, jekyll
- [Package Registries Are Governance Providers](/2025/12/22/package-registries-are-governance-as-a-service.html)
  Date: 2025-12-22
  Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
  Tags: package-managers, deep-dive
- [Could lockfiles just be SBOMs?](/2025/12/23/could-lockfiles-just-be-sboms.html)
  Date: 2025-12-23
  Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
  Tags: package-managers, sbom, idea
- [Package managers keep using git as a database, it never works out](/2025/12/24/package-managers-keep-using-git-as-a-database.html)
  Date: 2025-12-24
  Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
  Tags: package-managers, git, rust, go, deep-dive
- [Cursed Bundler: Using go get to install Ruby Gems](/2025/12/25/cursed-bundler-using-go-get-to-install-ruby-gems.html)
  Date: 2025-12-25
  Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
  Tags: package-managers, go, ruby, idea
- [How uv got so fast](/2025/12/26/how-uv-got-so-fast.html)
  Date: 2025-12-26
  uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
  Tags: package-managers, python, deep-dive
- [How to Ruin All of Package Management](/2025/12/27/how-to-ruin-all-of-package-management.html)
  Date: 2025-12-27
  Attach financial incentives to open source metrics and watch the spam flood in.
  Tags: package-managers, security
- [The Compact Index: How Bundler Scales Dependency Resolution](/2025/12/28/the-compact-index.html)
  Date: 2025-12-28
  The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
  Tags: package-managers, ruby, rust, deep-dive
- [Categorizing Package Manager Clients](/2025/12/29/categorizing-package-manager-clients.html)
  Date: 2025-12-29
  Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
  Tags: package-managers, reference
- [Categorizing Package Registries](/2025/12/29/categorizing-package-registries.html)
  Date: 2025-12-29
  Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
  Tags: package-managers, reference
- [Community Tools Bring Lockfile Support to GitHub Actions](/2025/12/30/community-tools-bring-lockfile-support-to-github-actions.html)
  Date: 2025-12-30
  Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
  Tags: package-managers, github, git, tools
- [Open Source Activity in 2025](/2025/12/31/open-source-activity-in-2025.html)
  Date: 2025-12-31
  A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
  Tags: open-source, github
- [git-pkgs: explore your dependency history](/2026/01/01/git-pkgs-explore-your-dependency-history.html)
  Date: 2026-01-01
  A git subcommand to explore the dependency history of your repositories.
  Tags: open-source, package-managers, git, tools, git-pkgs
- [How Dependabot Actually Works](/2026/01/02/how-dependabot-actually-works.html)
  Date: 2026-01-02
  Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
  Tags: package-managers, github, dependencies, deep-dive
- [The Package Management Landscape](/2026/01/03/the-package-management-landscape.html)
  Date: 2026-01-03
  A directory of tools, systems, and services that relate to package management.
  Tags: package-managers, reference
- [Making git-pkgs feel like Git](/2026/01/04/making-git-pkgs-feel-like-git.html)
  Date: 2026-01-04
  What it takes to make a git subcommand feel native.
  Tags: open-source, package-managers, git, tools, git-pkgs
- [The Nine Levels of JavaScript Dependency Hell](/2026/01/05/the-nine-levels-of-javascript-dependency-hell.html)
  Date: 2026-01-05
  Come, I will show you what I have seen.
  Tags: package-managers, javascript, npm, satire
- [brew-vulns: CVE scanning for Homebrew](/2026/01/08/brew-vulns-cve-scanning-for-homebrew.html)
  Date: 2026-01-08
  A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
  Tags: package-managers, homebrew, tools
- [Package Management Blog Posts](/2026/01/09/package-management-blog-posts.html)
  Date: 2026-01-09
  Blog posts, talks, and essays that changed how people think about dependency management.
  Tags: package-managers, history, reference
- [16 Best Practices for Reducing Dependabot Noise](/2026/01/10/16-best-practices-for-reducing-dependabot-noise.html)
  Date: 2026-01-10
  A practical guide to ignoring security updates responsibly
  Tags: package-managers, dependencies, satire
- [Package Manager Glossary](/2026/01/13/package-manager-glossary.html)
  Date: 2026-01-13
  A cross-ecosystem glossary of package management terms.
  Tags: package-managers, reference
- [Package Manager People](/2026/01/14/package-manager-people.html)
  Date: 2026-01-14
  People who built, maintain, or research package managers.
  Tags: package-managers, research, reference
- [Lockfile Format Design and Tradeoffs](/2026/01/17/lockfile-format-design-and-tradeoffs.html)
  Date: 2026-01-17
  Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
  Tags: package-managers, deep-dive
- [Workspaces and Monorepos in Package Managers](/2026/01/18/workspaces-and-monorepos-in-package-managers.html)
  Date: 2026-01-18
  How various package managers implement workspaces and their relationship with monorepos.
  Tags: package-managers, monorepo, deep-dive
- [A Jepsen Test for Package Managers](/2026/01/19/a-jepsen-test-for-package-managers.html)
  Date: 2026-01-19
  Applying Jepsen-style adversarial testing to package managers.
  Tags: package-managers, idea
- [importmap.lock: a lockfile for the web](/2026/01/19/importmap-lock.html)
  Date: 2026-01-19
  Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.
  Tags: package-managers, javascript, importmap, idea
- [The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness](/2026/01/20/the-lesser-evil-of-compliance.html)
  Date: 2026-01-20
  You are not paid to find good options. You are paid to choose.
  Tags: package-managers, dependencies, satire, the-path
- [An AI Skill for Skeptical Dependency Management](/2026/01/21/an-ai-skill-for-skeptical-dependency-management.html)
  Date: 2026-01-21
  A skill that makes Claude Code evaluate packages before suggesting them.
  Tags: package-managers, tools
- [A Protocol for Package Management](/2026/01/22/a-protocol-for-package-management.html)
  Date: 2026-01-22
  A shared vocabulary for resolution, publishing, and governance across ecosystems.
  Tags: package-managers, idea
- [Package Management is a Wicked Problem](/2026/01/23/package-management-is-a-wicked-problem.html)
  Date: 2026-01-23
  Why fixing package managers is harder than it looks.
  Tags: package-managers, idea
- [Rewriting git-pkgs in Go](/2026/01/24/rewriting-git-pkgs-in-go.html)
  Date: 2026-01-24
  The dependency history tool is now a single Go binary.
  Tags: open-source, package-managers, git, tools, git-pkgs, go
- [PkgFed: ActivityPub for Package Releases](/2026/01/25/pkgfed-activitypub-for-package-releases.html)
  Date: 2026-01-25
  Follow serde@crates.io from your Mastodon account
  Tags: package-managers, idea
- [Introducing Package Chaos Monkey](/2026/01/26/introducing-package-chaos-monkey.html)
  Date: 2026-01-26
  Resilience engineering for your software supply chain.
  Tags: package-managers, satire
- [The C-Shaped Hole in Package Management](/2026/01/27/the-c-shaped-hole-in-package-management.html)
  Date: 2026-01-27
  System package managers and language package managers are solving different problems that happen to overlap in the middle.
  Tags: package-managers, deep-dive
- [The Dependency Layer in Digital Sovereignty](/2026/01/28/the-dependency-layer-in-digital-sovereignty.html)
  Date: 2026-01-28
  Where package management fits in the digital sovereignty discussion.
  Tags: package-managers, idea
- [Zig and the M×N Supply Chain Problem](/2026/01/29/zig-and-the-mxn-supply-chain-problem.html)
  Date: 2026-01-29
  Zig's long road to supply chain security.
  Tags: package-managers, idea
- [Will AI Make Package Managers Redundant?](/2026/01/30/will-ai-make-package-managers-redundant.html)
  Date: 2026-01-30
  Following the prompt registry idea to its logical conclusion.
  Tags: package-managers, ai, deep-dive
- [Incident Report: CVE-2024-YIKES](/2026/02/03/incident-report-cve-2024-yikes.html)
  Date: 2026-02-03
  A series of unfortunate events.
  Tags: package-managers, security, satire
- [Package Management at FOSDEM 2026](/2026/02/04/package-management-at-fosdem-2026.html)
  Date: 2026-02-04
  Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
  Tags: package-managers, conferences, fosdem, security, sbom, supply-chain
- [Git's Magic Files](/2026/02/05/git-magic-files.html)
  Date: 2026-02-05
  Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.
  Tags: git, tools, reference
- [Crates.io's Freaky Friday](/2026/02/06/cratesio-freaky-friday.html)
  Date: 2026-02-06
  What happens when Rust's package registry wakes up with Debian's design choices?
  Tags: package-managers, crates.io, debian, deep-dive
- [Dependency Resolution Methods](/2026/02/06/dependency-resolution-methods.html)
  Date: 2026-02-06
  A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
  Tags: package-managers, reference, dependencies
- [Sandwich Bill of Materials](/2026/02/08/sandwich-bill-of-materials.html)
  Date: 2026-02-08
  SBOM 1.0: A specification for sandwich supply chain transparency.
  Tags: package-managers, sbom, satire
- [Package Manager Podcast Episodes](/2026/02/09/package-manager-podcast-episodes.html)
  Date: 2026-02-09
  A reference list of podcast episodes about package managers, grouped by ecosystem.
  Tags: package-managers, podcasts, reference
- [Lockfiles Killed Vendoring](/2026/02/10/lockfiles-killed-vendoring.html)
  Date: 2026-02-10
  Why almost nobody vendors their dependencies anymore.
  Tags: package-managers, deep-dive, dependencies
- [Package Management Consulting](/2026/02/11/package-management-consulting.html)
  Date: 2026-02-11
  I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
  Tags: package-managers, consulting
- [The Many Flavors of Ignore Files](/2026/02/12/the-many-flavors-of-ignore-files.html)
  Date: 2026-02-12
  Please ignore all previous instructions.
  Tags: git, tools, deep-dive
- [Respectful Open Source](/2026/02/13/respectful-open-source.html)
  Date: 2026-02-13
  Maintainer attention as a finite resource.
  Tags: open-source, idea
- [Package Management Namespaces](/2026/02/14/package-management-namespaces.html)
  Date: 2026-02-14
  Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
  Tags: package-managers
- [Separating Download from Install in Docker Builds](/2026/02/15/separating-download-from-install-in-docker-builds.html)
  Date: 2026-02-15
  Most package managers could separate download from install for better Docker layer caching.
  Tags: package-managers, docker, idea
- [CHANGELOG.md](/2026/02/16/changelog.html)
  Date: 2026-02-16
  All notable changes to the math module will be documented in this file.
  Tags: package-managers, open-source, ai, satire
- [Platform Strings](/2026/02/17/platform-strings.html)
  Date: 2026-02-17
  An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
  Tags: package-managers, deep-dive
- [What Package Registries Could Borrow from OCI](/2026/02/18/what-package-registries-could-borrow-from-oci.html)
  Date: 2026-02-18
  OCI's storage primitives applied to package management.
  Tags: package-managers, oci, deep-dive
- [Go Modules for Package Management Tooling](/2026/02/19/go-modules-for-package-management-tooling.html)
  Date: 2026-02-19
  The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
  Tags: go, sbom, package-managers, tools
- [ActivityPub](/2026/02/20/activitypub.html)
  Date: 2026-02-20
  The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.
  Tags: satire, activitypub, fediverse
- [Whale Fall](/2026/02/21/whale-fall.html)
  Date: 2026-02-21
  What happens when a large open source project dies.
  Tags: open-source, ecosystems
- [Forge-Specific Repository Folders](/2026/02/22/forge-specific-repository-folders.html)
  Date: 2026-02-22
  Magic folders in git forges: what .github/, .gitlab/, .gitea/, .forgejo/ and .bitbucket/ do.
  Tags: git, reference
- [Where Do Specifications Fit in the Dependency Tree?](/2026/02/23/where-do-specifications-fit-in-the-dependency-tree.html)
  Date: 2026-02-23
  RFC 9110 is a phantom dependency with thousands of transitive dependents.
  Tags: package-managers, dependencies, deep-dive
- [Reproducible Builds in Language Package Managers](/2026/02/24/reproducible-builds-in-language-package-managers.html)
  Date: 2026-02-24
  Verifying that a published package was actually built from the source it claims.
  Tags: package-managers, security
- [Two Kinds of Attestation](/2026/02/25/two-kinds-of-attestation.html)
  Date: 2026-02-25
  The oldest problem in computer science, but with toasters.
  Tags: security, open-source, policy
- [Git in Postgres](/2026/02/26/git-in-postgres.html)
  Date: 2026-02-26
  Instead of using git as a database, what if you used a database as a git?
  Tags: git, postgres
- [xkcd 2347](/2026/02/27/xkcd-2347.html)
  Date: 2026-02-27
  An interactive version of the dependency comic.
  Tags: dependencies, open-source
- [npm Data Subject Access Request](/2026/02/28/npm-data-subject-access-request.html)
  Date: 2026-02-28
  A response to a GDPR data subject access request.
  Tags: package-managers, npm, satire
- [Downstream Testing](/2026/03/01/downstream-testing.html)
  Date: 2026-03-01
  Most library maintainers have no way to test against their dependents before releasing.
  Tags: package-managers, testing, ecosystems
- [Transitive Trust](/2026/03/02/transitive-trust.html)
  Date: 2026-03-02
  You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?
  Tags: package-managers, security, ecosystems
- [Package Management is Naming All the Way Down](/2026/03/03/package-management-is-naming-all-the-way-down.html)
  Date: 2026-03-03
  There are two hard problems in computer science, and package managers found at least eight of them.
  Tags: package-managers, deep-dive
- [Package Managers Need to Cool Down](/2026/03/04/package-managers-need-to-cool-down.html)
  Date: 2026-03-04
  A survey of dependency cooldown support across package managers and update tools.
  Tags: package-managers, security, ecosystems, deep-dive
- [Package Manager Magic Files](/2026/03/05/package-manager-magic-files.html)
  Date: 2026-03-05
  Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.
  Tags: package-managers, reference
- [.gitlocal](/2026/03/06/gitlocal.html)
  Date: 2026-03-06
  Git Should Let Files Ignore Themselves
  Tags: git, idea
- [Announcing New Working Groups](/2026/03/07/announcing-new-working-groups.html)
  Date: 2026-03-07
  The Open Source Foundations Consortium announces seven new working groups.
  Tags: open-source, governance, satire
- [If It Quacks Like a Package Manager](/2026/03/08/if-it-quacks-like-a-package-manager.html)
  Date: 2026-03-08
  Some tools waddle like package managers without learning to swim.
  Tags: package-managers, security, deep-dive
- [100 Posts](/2026/03/09/100-posts.html)
  Date: 2026-03-09
  This is post number 100.
  Tags: writing
- [Just Use Postgres](/2026/03/10/just-use-postgres.html)
  Date: 2026-03-10
  Taking 'just use Postgres' to its logical endpoint: git push to deploy into a single Postgres process.
  Tags: git, postgres
- [git-pkgs/actions](/2026/03/11/git-pkgs-actions.html)
  Date: 2026-03-11
  How to add git-pkgs to your GitHub Actions workflows.
  Tags: git-pkgs, github-actions, supply-chain
- [Reviewing ENISA's Package Manager Advisory](/2026/03/12/reviewing-enisas-package-manager-advisory.html)
  Date: 2026-03-12
  Notes on ENISA's Technical Advisory for Secure Use of Package Managers.
  Tags: package-managers, security, supply-chain
- [Forge](/2026/03/13/forge.html)
  Date: 2026-03-13
  A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.
  Tags: git, open-source
- [What's Going On with FAIR Package Manager](/2026/03/14/whats-going-on-with-fair-package-manager.html)
  Date: 2026-03-14
  Federated FAIR pivots from WordPress to TYPO3
  Tags: package-managers, deep-dive
- [Guided Meditation for Developers](/2026/03/15/guided-meditation-for-developers.html)
  Date: 2026-03-15
  A practice for finding peace in your dependency tree.
  Tags: package-managers, open-source, satire
- [Git Remote Helpers](/2026/03/18/git-remote-helpers.html)
  Date: 2026-03-18
  Git can talk to anything if you write the right helper.
  Tags: git, reference
- [The Fragmented World of Dependency Policy](/2026/03/19/the-fragmented-world-of-dependency-policy.html)
  Date: 2026-03-19
  Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.
  Tags: package-managers, supply-chain, git-pkgs
- [Package Manager Mirroring](/2026/03/20/package-manager-mirroring.html)
  Date: 2026-03-20
  Every mirroring tool I could find, and the protocols underneath them.
  Tags: package-managers, reference
- [How to Attract AI Bots to Your Open Source Project](/2026/03/21/how-to-attract-ai-bots-to-your-open-source-project.html)
  Date: 2026-03-21
  A practical guide to getting the engagement your project deserves.
  Tags: open-source, ai, satire
- [The Top 10 Biggest Conspiracies in Open Source](/2026/03/25/the-top-10-biggest-conspiracies-in-open-source.html)
  Date: 2026-03-25
  I'm not connecting these dots. I'm just pointing out that the dots are there.
  Tags: open-source, satire
- [The Roles of Packages](/2026/03/29/the-roles-of-packages.html)
  Date: 2026-03-29
  Applying Sajaniemi's roles of variables to packages across every kind of package manager.
  Tags: package-managers, taxonomy, deep-dive
- [Git Diff Drivers](/2026/03/30/git-diff-drivers.html)
  Date: 2026-03-30
  What git's diff drivers can do, from built-in language support to custom textconv filters.
  Tags: git, tools, reference
- [npm's Defaults Are Bad](/2026/03/31/npms-defaults-are-bad.html)
  Date: 2026-03-31
  The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.
  Tags: package-managers, javascript, npm, security
- [Package Manager Easter Eggs](/2026/04/03/package-manager-easter-eggs.html)
  Date: 2026-04-03
  A tour of the easter eggs hiding inside package managers.
  Tags: package-managers, reference
- [What does Open Source mean?](/2026/04/04/what-does-open-source-mean.html)
  Date: 2026-04-04
  A stack of incompatible expectations.
  Tags: open-source, reference
- [The Cathedral and the Catacombs](/2026/04/06/the-cathedral-and-the-catacombs.html)
  Date: 2026-04-06
  Stretching a metaphor deep into the floor.
  Tags: open-source, dependencies, security
- [Who Built This?](/2026/04/07/who-built-this.html)
  Date: 2026-04-07
  Tracing a dependency back to its source commit.
  Tags: package-managers, security, supply-chain
- [Package Security Problems for AI Agents](/2026/04/08/package-security-problems-for-ai-agents.html)
  Date: 2026-04-08
  Packages all the way down, agents all the way up.
  Tags: security, package-managers, ai, reference
- [Package Security Defenses for AI Agents](/2026/04/09/package-security-defenses-for-ai-agents.html)
  Date: 2026-04-09
  Lockfiles, sandboxes, and cooldown timers.
  Tags: security, package-managers, ai
- [Package Registries and Pagination](/2026/04/10/package-registries-and-pagination.html)
  Date: 2026-04-10
  100MB of metadata for 10,451 versions.
  Tags: package-managers, registries
- [Common Package Specification](/2026/04/13/common-package-specification.html)
  Date: 2026-04-13
  Not the cross-ecosystem format the name suggests.
  Tags: package-managers
- [Standing on the shoulders of Homebrew](/2026/04/14/standing-on-the-shoulders-of-homebrew.html)
  Date: 2026-04-14
  Rewriting the easy parts of Homebrew.
  Tags: package-managers, homebrew
- [The Tuesday Test](/2026/04/15/the-tuesday-test.html)
  Date: 2026-04-15
  Like the Turing test but with more tacos.
  Tags: package-managers
- [Features everyone should steal from npmx](/2026/04/16/features-everyone-should-steal-from-npmx.html)
  Date: 2026-04-16
  What happens when users design their own package registry frontend
  Tags: package-managers, npm
- [brief](/2026/04/21/brief.html)
  Date: 2026-04-21
  A knowledge base of project conventions, exposed as a CLI.
  Tags: open-source, tools, git-pkgs, ai, security
~~~

## llms-full

Not found.