@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · 4d ago

Some notes on ENISA's Technical Advisory for Secure Use of Package Managers: https://nesbitt.io/2026/03/12/reviewing-enisas-package-manager-advisory.html

View on mastodon.social

6

0

4

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Mar 08, 2026

If It Quacks Like a Package Manager: https://nesbitt.io/2026/03/08/if-it-quacks-like-a-package-manager.html

View on mastodon.social

21

0

16

0

Boosted by

silverpill @silverpill@mitra.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 26, 2026

Instead of using git as a database, what if you used database as a git? https://nesbitt.io/2026/02/26/git-in-postgres.html

View on mastodon.social

74

0

49

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 21, 2026

What happens when a large open source project dies? https://nesbitt.io/2026/02/21/whale-fall.html

View on mastodon.social

229

0

243

1

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 14, 2026

TIL you can do this:

npx github:user/repo
npx gist:user/gist

😶‍🌫️

View on mastodon.social

4

0

3

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 13, 2026

Treating Maintainer attention as a finite resource: https://nesbitt.io/2026/02/13/respectful-open-source.html

View on mastodon.social

34

0

30

0

Thread context 2 posts in path

Parent @andrewnez@mastodon.social Open

on mastodon.social

Open ancestor post

Current reply

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 12, 2026

Have I missed anything? Contributions welcome: https://github.com/andrew/nesbitt.io/blob/master/oss-is-going-just-great.md

View full thread on mastodon.social

2

0

5

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 09, 2026

Deploying some more aggressive caching to @ecosystems@mastodon.social, especially on the html pages as some people are smashing it with headless chrome browsers atm.

Some things may be a bit more stale than before, but can't really be helped on such a small budget.

View on mastodon.social

2

0

3

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 08, 2026

SBOM 1.0: A specification for sandwich supply chain transparency.

https://nesbitt.io/2026/02/08/sandwich-bill-of-materials.html

View on mastodon.social

13

0

7

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 07, 2026

A reference post today, tried to collect all the different approaches to dependency resolution: https://nesbitt.io/2026/02/06/dependency-resolution-methods.html

View on mastodon.social

18

0

9

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Feb 04, 2026

Everything package management at @fosdem@fosstodon.org 2026, most of the videos are online now: https://nesbitt.io/2026/02/04/package-management-at-fosdem-2026.html

View on mastodon.social

9

0

6

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Jan 27, 2026

The C-Shaped Hole in Package Management: https://nesbitt.io/2026/01/27/the-c-shaped-hole-in-package-management.html

View on mastodon.social

46

0

37

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Jan 13, 2026

I’ve started working on a cross-ecosystem package manager glossary: https://nesbitt.io/2026/01/13/package-manager-glossary.html

View on mastodon.social

11

0

8

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Jan 01, 2026

Annoucing git-pkgs, explore the dependency history of your git repositories.

git pkgs init
git pkgs blame
git pkgs history rails
git pkgs diff --from=v2.0
git pkgs stats
git pkgs why rails
git pkgs diff --from=HEAD~10
git pkgs diff --from=main --to=feature

https://nesbitt.io/2026/01/01/git-pkgs-explore-your-dependency-history.html

View on mastodon.social

54

0

48

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 31, 2025

One last coding experiment for 2025: https://github.com/ecosyste-ms/critical a daily updated sqlite database of metadata for the top 10k most used packages from @ecosystems@mastodon.social published to github and npm.

You can then use that with https://github.com/ecosyste-ms/mcp a local mcp server for package metadata, it runs instantly for the cached packages and then falls back to querying the ecosyste.ms APIs.

View on mastodon.social

0

1

0

Boosted by

Greg Bell @ferrix@mastodon.online

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 24, 2025

Package managers keep using git as a database, it never works out. https://nesbitt.io/2025/12/24/package-managers-keep-using-git-as-a-database.html

View on mastodon.social

264

0

237

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 18, 2025

The fosdem package manager dev room schedule is now live: https://fosdem.org/2026/schedule/track/package-management/

View on mastodon.social

7

0

7

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 11, 2025

Spent more time debugging this that I would have liked, but it's done now, @ecosystems@mastodon.social multi-tiered api rate limit config with apisix: https://nesbitt.io/2025/12/11/building-ecosytems-polite-api-rate-limits.html

View on mastodon.social

2

0

2

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 06, 2025

The package manager in GitHub Actions might be the worst package manager in use today: https://nesbitt.io/2025/12/06/github-actions-package-manager.html

View on mastodon.social

117

0

122

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Dec 04, 2025

What is a package manager? Perhaps quite a few more components than you might think: https://nesbitt.io/2025/12/02/what-is-a-package-manager.html

View on mastodon.social

17

0

17

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Nov 29, 2025

There's still time to get a proposal in for the package manager dev room at @fosdem@fosstodon.org 2026, cfp closes end of day 1st December:

https://blog.ecosyste.ms/2025/11/06/fosdem-2026-package-managers-devroom-cfp.html

View on mastodon.social

5

0

6

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Nov 06, 2025

We are excited to announce the Call for Participation for the Package Managers devroom at @fosdem@fosstodon.org 2026, taking place on Saturday, 31st January 2026 at the Université libre de Bruxelles, Belgium.

Submission deadline: 1st December 2025

https://blog.ecosyste.ms/2025/11/06/fosdem-2026-package-managers-devroom-cfp.html

View on mastodon.social

10

0

10

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Nov 06, 2025

I was on the changelog podcast chatting about @ecosystems@mastodon.social and package management: https://changelog.com/podcast/665

View on mastodon.social

3

0

2

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Sep 02, 2025

Ecosyste.ms now has a public discord server: https://discord.gg/Zn4kMf7y

View on mastodon.social

2

0

1

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Sep 02, 2025

Shamim is running a survey to better understand how developers view dependency resolution of package managers.

The hope is that this will help inform and improve package managers in the future.

Please fill it out and share it: https://forms.cloud.microsoft/r/McbinF3Tnn?origin=lprLink

View on mastodon.social

0

4

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Aug 06, 2025

Another release of my purl cli ruby gem: https://github.com/andrew/purl

You can now lookup information about a PURL in both text and json format, calling @ecosystems@mastodon.social behind the scenes.

https://github.com/andrew/purl?tab=readme-ov-file#look-up-package-information

View on mastodon.social

2

0

2

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Aug 01, 2025

Want to do something fun on Friday?

I found 24 maintainers of some of the most critical open source packages that are on GitHub Sponsors but currently don't have anyone sponsoring them, can we get that list down to zero by the end of the day?

https://gist.github.com/andrew/1433f11047b5fc3d1c59d6ec8f5a9587

View on mastodon.social

1

0

5

0

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

Andrew Nesbitt

@andrewnez@mastodon.social

Package Management Nerd, working on mapping the world of open source software https:// ecosyste.ms and blogging about package managers at https:// nesbitt.io

mastodon.social

@andrewnez@mastodon.social · Jul 29, 2025

I’ve been thinking about how to go about federating/decentralizing @ecosystems@mastodon.social services, lots of different ways to do it and different use cases, so I thought I’d open it up to some community input.

Would love to hear some thoughts on how to enable it on such a massive service, is activitypub the right protocol, something else or something custom?

https://github.com/ecosyste-ms/roadmap/issues/28

View on mastodon.social

4

0

6

0

Andrew Nesbitt

Posts

Media