Andrew Nesbitt
@andrewnez.bsky.social
Working on mapping the world of open source software https://ecosyste.ms and empowering developers with https://octobox.io
Mostly posting on https://mastodon.social/@andrewnez
Mostly posting on https://mastodon.social/@andrewnez
Pinned
Andrew Nesbitt
@andrewnez.bsky.social
· Dec 7
GitHub Actions Has a Package Manager, and It Might Be the Worst
GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
nesbitt.io
The package manager in GitHub Actions might be the worst package manager in use today: nesbitt.io/2025/12/06/g...
Package Management is a Wicked Problem: nesbitt.io/2026/01/23/p...
Package Management is a Wicked Problem
Why fixing package managers is harder than it looks.
nesbitt.io
January 23, 2026 at 9:19 PM
Package Management is a Wicked Problem: nesbitt.io/2026/01/23/p...
@lannonbr.com thanks for the donation to ecosyste.ms on opencollective
ecosyste.ms | Tools and datasets to support, sustain, and secure critical digital infrastructure.
Tools and datasets to support, sustain, and secure critical digital infrastructure.
ecosyste.ms
January 23, 2026 at 6:03 PM
@lannonbr.com thanks for the donation to ecosyste.ms on opencollective
An AI Skill for Skeptical Dependency Management: nesbitt.io/2026/01/21/a...
An AI Skill for Skeptical Dependency Management
A skill that makes Claude Code evaluate packages before suggesting them.
nesbitt.io
January 21, 2026 at 1:33 PM
An AI Skill for Skeptical Dependency Management: nesbitt.io/2026/01/21/a...
"Evil is evil. Lesser, greater, middling—makes no difference. But when the CRA requires you to document every open source component you ship, you learn to choose."
Geralt's guide to enterprise SBOM strategy: nesbitt.io/2026/01/20/t...
Geralt's guide to enterprise SBOM strategy: nesbitt.io/2026/01/20/t...
The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness
You are not paid to find good options. You are paid to choose.
nesbitt.io
January 20, 2026 at 10:44 AM
"Evil is evil. Lesser, greater, middling—makes no difference. But when the CRA requires you to document every open source component you ship, you learn to choose."
Geralt's guide to enterprise SBOM strategy: nesbitt.io/2026/01/20/t...
Geralt's guide to enterprise SBOM strategy: nesbitt.io/2026/01/20/t...
Random idea came to me while thinking about package managers as distributed systems.
Should there be a Jepsen Test for Package Managers?
nesbitt.io/2026/01/19/a...
Should there be a Jepsen Test for Package Managers?
nesbitt.io/2026/01/19/a...
A Jepsen Test for Package Managers
Applying Jepsen-style adversarial testing to package managers.
nesbitt.io
January 19, 2026 at 12:42 PM
Random idea came to me while thinking about package managers as distributed systems.
Should there be a Jepsen Test for Package Managers?
nesbitt.io/2026/01/19/a...
Should there be a Jepsen Test for Package Managers?
nesbitt.io/2026/01/19/a...
I did a bit of a deep dive into the Workspaces features in Package Managers as I’d never used them before: nesbitt.io/2026/01/18/w...
Workspaces and Monorepos in Package Managers
A deep dive into how various package managers implement workspaces and their relationship with monorepos.
nesbitt.io
January 18, 2026 at 12:42 PM
I did a bit of a deep dive into the Workspaces features in Package Managers as I’d never used them before: nesbitt.io/2026/01/18/w...
My git-pkgs lightning talk got accepted at FOSDEM 🎉
January 18, 2026 at 9:49 AM
My git-pkgs lightning talk got accepted at FOSDEM 🎉
Another reference post today, this time People who built, maintain, or research package managers.
I'm sure I've missed people out. Open a PR or let me know or If you’d like your entry updated, corrected, or removed, reach out.
nesbitt.io/2026/01/14/p...
I'm sure I've missed people out. Open a PR or let me know or If you’d like your entry updated, corrected, or removed, reach out.
nesbitt.io/2026/01/14/p...
Package Manager People
People who built, maintain, or research package managers.
nesbitt.io
January 14, 2026 at 3:24 PM
Another reference post today, this time People who built, maintain, or research package managers.
I'm sure I've missed people out. Open a PR or let me know or If you’d like your entry updated, corrected, or removed, reach out.
nesbitt.io/2026/01/14/p...
I'm sure I've missed people out. Open a PR or let me know or If you’d like your entry updated, corrected, or removed, reach out.
nesbitt.io/2026/01/14/p...
I’ve started working on a cross-ecosystem package manager glossary: nesbitt.io/2026/01/13/p...
Package Manager Glossary
A cross-ecosystem glossary of package management terms.
nesbitt.io
January 13, 2026 at 1:09 PM
I’ve started working on a cross-ecosystem package manager glossary: nesbitt.io/2026/01/13/p...
I've put together a semi-automated page on my site that lists all the package manager posts by category: nesbitt.io/package-mana...
Package Managers
Posts about package management, dependency resolution, and software supply chain.
nesbitt.io
January 13, 2026 at 12:29 PM
I've put together a semi-automated page on my site that lists all the package manager posts by category: nesbitt.io/package-mana...
Reposted by Andrew Nesbitt
"If a vulnerability has been public for two years and you have not been breached, the market has spoken" wise words as always
New post: 16 Best Practices for Reducing Dependabot Noise
nesbitt.io/2026/01/10/1...
nesbitt.io/2026/01/10/1...
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
nesbitt.io
January 11, 2026 at 1:45 PM
"If a vulnerability has been public for two years and you have not been breached, the market has spoken" wise words as always
New post: 16 Best Practices for Reducing Dependabot Noise
nesbitt.io/2026/01/10/1...
nesbitt.io/2026/01/10/1...
16 Best Practices for Reducing Dependabot Noise
A practical guide to ignoring security updates responsibly
nesbitt.io
January 10, 2026 at 12:15 PM
New post: 16 Best Practices for Reducing Dependabot Noise
nesbitt.io/2026/01/10/1...
nesbitt.io/2026/01/10/1...
People much smarter than me have written a lot about package management.
Here's 59 of the most interesting blog posts about package management: nesbitt.io/2026/01/09/p...
(additions very welcome too)
Here's 59 of the most interesting blog posts about package management: nesbitt.io/2026/01/09/p...
(additions very welcome too)
Package Management Blog Posts
Blog posts, talks, and essays that changed how people think about dependency management.
nesbitt.io
January 9, 2026 at 4:56 PM
People much smarter than me have written a lot about package management.
Here's 59 of the most interesting blog posts about package management: nesbitt.io/2026/01/09/p...
(additions very welcome too)
Here's 59 of the most interesting blog posts about package management: nesbitt.io/2026/01/09/p...
(additions very welcome too)
I was surprised to find there isn't a Homebrew CVE scanner, so I built one.
gem install brew-vulns && brew vulns
nesbitt.io/2026/01/08/b...
gem install brew-vulns && brew vulns
nesbitt.io/2026/01/08/b...
brew-vulns: CVE scanning for Homebrew
A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
nesbitt.io
January 8, 2026 at 10:38 PM
I was surprised to find there isn't a Homebrew CVE scanner, so I built one.
gem install brew-vulns && brew vulns
nesbitt.io/2026/01/08/b...
gem install brew-vulns && brew vulns
nesbitt.io/2026/01/08/b...
I have walked the circles of JavaScript dependency hell. I watched the developers solve each problem, only to create the next. Come, I will show you what I have seen.
nesbitt.io/2026/01/05/t...
nesbitt.io/2026/01/05/t...
The Nine Levels of JavaScript Dependency Hell
Come, I will show you what I have seen.
nesbitt.io
January 5, 2026 at 10:52 PM
I have walked the circles of JavaScript dependency hell. I watched the developers solve each problem, only to create the next. Come, I will show you what I have seen.
nesbitt.io/2026/01/05/t...
nesbitt.io/2026/01/05/t...
I've been trying to make git-pkgs feel as close to the way the git cli works as possible, here's what it took: nesbitt.io/2026/01/04/m...
Making git-pkgs feel like Git
What it takes to make a git subcommand feel native.
nesbitt.io
January 4, 2026 at 9:44 PM
I've been trying to make git-pkgs feel as close to the way the git cli works as possible, here's what it took: nesbitt.io/2026/01/04/m...
I've found myself wanting a place to reference the whole landscape of package management, so here it is: nesbitt.io/2026/01/03/t...
The Package Management Landscape
A directory of tools, systems, and services that relate to package management.
nesbitt.io
January 3, 2026 at 3:35 PM
I've found myself wanting a place to reference the whole landscape of package management, so here it is: nesbitt.io/2026/01/03/t...
Do you ever catch yourself wondering… how does Dependabot actually work?
I went spelunking and wrote up what I found: nesbitt.io/2026/01/02/h...
I went spelunking and wrote up what I found: nesbitt.io/2026/01/02/h...
How Dependabot Actually Works
Inside dependabot-core’s architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
nesbitt.io
January 2, 2026 at 10:40 PM
Do you ever catch yourself wondering… how does Dependabot actually work?
I went spelunking and wrote up what I found: nesbitt.io/2026/01/02/h...
I went spelunking and wrote up what I found: nesbitt.io/2026/01/02/h...
Annoucing git-pkgs, explore the dependency history of your git repositories.
git pkgs init
git pkgs blame
git pkgs history rails
git pkgs diff --from=v2.0
git pkgs stats
git pkgs why rails
git pkgs diff --from=HEAD~10
git pkgs diff --from=main --to=feature
nesbitt.io/2026/01/01/g...
git pkgs init
git pkgs blame
git pkgs history rails
git pkgs diff --from=v2.0
git pkgs stats
git pkgs why rails
git pkgs diff --from=HEAD~10
git pkgs diff --from=main --to=feature
nesbitt.io/2026/01/01/g...
git-pkgs: explore your dependency history
A git subcommand to explore the dependency history of your repositories.
nesbitt.io
January 1, 2026 at 10:06 PM
Annoucing git-pkgs, explore the dependency history of your git repositories.
git pkgs init
git pkgs blame
git pkgs history rails
git pkgs diff --from=v2.0
git pkgs stats
git pkgs why rails
git pkgs diff --from=HEAD~10
git pkgs diff --from=main --to=feature
nesbitt.io/2026/01/01/g...
git pkgs init
git pkgs blame
git pkgs history rails
git pkgs diff --from=v2.0
git pkgs stats
git pkgs why rails
git pkgs diff --from=HEAD~10
git pkgs diff --from=main --to=feature
nesbitt.io/2026/01/01/g...
It's been a productive year! Here's some of what I worked on in 2025: nesbitt.io/2025/12/31/o...
Open Source Activity in 2025
A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
nesbitt.io
December 31, 2025 at 5:21 PM
It's been a productive year! Here's some of what I worked on in 2025: nesbitt.io/2025/12/31/o...
Double header blog posts today where I attempt to categorize package manager clients and registries in various ways.
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
Categorizing Package Registries
Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
nesbitt.io
December 29, 2025 at 1:35 PM
Double header blog posts today where I attempt to categorize package manager clients and registries in various ways.
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
nesbitt.io/2025/12/29/c...
Bundler has this neat compact index that speeds up dependency resolution. I think other package manager registries could do the same: nesbitt.io/2025/12/28/t...
The Compact Index: How Bundler Scales Dependency Resolution
The append-only index format that saved RubyGems.org, inspired Cargo’s sparse index, and could speed up npm and PyPI too.
nesbitt.io
December 28, 2025 at 3:48 PM
Bundler has this neat compact index that speeds up dependency resolution. I think other package manager registries could do the same: nesbitt.io/2025/12/28/t...
How did uv get so fast? (Spoiler: not just because it’s written in rust) nesbitt.io/2025/12/26/h...
How uv got so fast
uv’s speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn’t exist five years ago.
nesbitt.io
December 26, 2025 at 5:06 PM
How did uv get so fast? (Spoiler: not just because it’s written in rust) nesbitt.io/2025/12/26/h...