Package managers are the quiet workhorses of computing. They make installing software on a machine trivial, but they have their differences, and as recent events have shown, those differences can lead to vulnerabilities and provide opportunities for attackers to disrupt public and private services alike. ecosyste.ms is in something of a unique position: having aggregated and normalized package data from over 70 sources we know something about how package managers work, and how they differ from one another. Working alongside the CHAOSS Package Metadata Working Group and Alpha-Omega we’ve documented the similarities and differences across package registries and clients, publishing five repositories of information about how package managers work today. In doing so we hope to identify common problems and work toward better practices: ## Package Manager Commands A cross-reference table of commands across 48 package managers. When you switch from npm to cargo, or pip to poetry, this maps the equivalent commands between ecosystems. The data is extracted from manpages and `--help` outputs and stored as JSON files in `data/managers/` with generated markdown tables and CSV exports. Check out the whole csv file rendered as a huge table here: github.com/ecosyste-ms/package-manager-commands/blob/main/commands.csv ## Package Manager Manifest Examples Over 145 manifest and lockfile examples from 34 package ecosystems, organized by PURL type. Manifests include `package.json`, `requirements.txt`, `pyproject.toml`, `Cargo.toml`, `Gemfile`, `composer.json`, `go.mod`, `pom.xml`, and more. Lockfiles include `package-lock.json`, `yarn.lock`, `poetry.lock`, `Cargo.lock`, `Gemfile.lock`, `composer.lock`, `go.sum`, and others. Initially extracted from Bibliothecary, with additional examples from tools like Trivy, Syft, OSV-Scanner, and Grype. Each example documents its filename, type (manifest/lockfile), source project, and what features it demonstrates. ## Package Manager OpenAPI Schemas OpenAPI 3.0 specifications for 25+ package registry APIs including npm, PyPI, Maven, RubyGems, Cargo, Docker, and Terraform. Most schemas are generated using the packages.ecosyste.ms mapping code. Two registries, crates.io and open-vsx.org, have official OpenAPI specs. Hopefully more registries will publish official specs in the future. You can use these specs to generate API clients, create documentation with Swagger UI, or build mock servers for testing. ## Package Managers OPML RSS and Atom feeds for tracking releases from package managers, registries, and related infrastructure projects. Import the OPML file into any feed reader to follow updates from npm, pip, cargo, Homebrew, Docker, Renovate, Dependabot, and others. Feeds are organized by language and ecosystem. ## Contributing These repositories collect what we’ve learned while researching the space. If you’re building parsers, SBOM generators, or tools that work across package ecosystems, these might be useful references. All five repositories are released under CC0 1.0 Universal and accept contributions if you have corrections or additions.

Andrew Nesbitt builds tools and open datasets to support, sustain, and secure critical digital infrastructure. He's been exploring the world of open source metadata for over a decade. First with libraries.io and now with ecosyste.ms, which tracks over 12 million packages, 287 million repos, 24.5 billion dependencies, and 1.9 million maintainers. What has Andrew learned from all this, who is using this open dataset, and how does he hope others can build on top of it all? Tune in to find out.

Check out the Ecosyste.ms community on Discord - hang out with 3 other members and enjoy free voice and text chat.

**To bring the traffic down to sustainable levels and encourage efficient and responsible use we will be introducing rate limits across our services.** As we mentioned last week: ecosyste.ms is at capacity. Revenues and donations to our non-profit are no longer covering the cost of serving 500GB of data and 40m requests daily. A few weeks ago we introduced user agent tracking in order to get a better picture of our user’s behaviour. Our findings were…. interesting. Our biggest users make nearly 3m requests to our packages service over a three day window. To put that into context: every day around 30,000 new versions of packages tracked by ecosyste.ms are published. So, to encourage more efficient and responsible use of our services, and to enable us to support that service now and into the future, we will be introducing rate limits, the right way: ### What you need to do: Inspired by OpenAlex, who themselves were inspired by Crossref, we’re going to split API users into two pools: the polite pool, and the common pool. The polite pool will have more consistent response times, ‘it’s where you want to be’ as OpenAlex say. In order to get into the polite pool you will need to provide a contact email address, so that we can contact you should we need to rate limit or block your access. You can do this by: * adding `mailto=you@example.com` as a parameter to your API request, like this: * Add `mailto:you@exmaple.com` somewhere in your user-agent request header The common pool is for everyone else. It will have less consistent response times, especially during peak periods as we serve polite requests more frequently. ### Next steps: For the next couple of months we will continue to run the service without strict rate limits. Meanwhile we will work with our users to establish a policy that treads the line between supporting non-commercial applications, research, and policy development, while providing additional revenue to cover the cost of hosting and maintaining ecosyste.ms’ services. In the meantime you can support the project by: 👩‍💻 Contributing to ecosyste.ms on GitHub 🤝 Purchasing a data licence 🙏 Donating on Open Collective

View the packages maintained by nopersonsmodules on the npmjs.org package registry, including their contributions and dependencies.

**Today Open Source Collective and ecosyste.ms are launching Funds supporting 291 Open Source Ecosystems. Unsurprisingly, we call them Ecosystem Funds.** A few, short weeks before the holidays we announced Ecosystem Funds; a collaboration between Open Source Collective and ecosyste.ms that makes it easier to support your critical software dependencies. ### What are Ecosystem Funds? Using billions of data points from ecosyste.ms we’ve packaged millions of the most critical open source components into a few hundred Funds centred on a language, framework, or package, turning a process that can take months into a five minute conversation with your CTO. ### What have we been up to? We launched with a $67,500 commitment from Sentry to the Rust, Python, Django and Javascript Ecosystems. We’ve since distributed over 80% of the funds in 375 individual payments to 136 projects. We’ve sent money to projects on GitHub Sponsors, Patreon, BuyMeACoffee, Ko-fi, and of course Open Collective. We contacted hundreds maintainers, asking them to update their ‘funding.yml’ so anyone could support them, for those who didn’t we paid maintainers directly, again through Open Collective. We’re hoping to distribute the remaining funds this month which is why we’re launching Ecosystem Funds to the general public today. ### How does it work? Once again for those in the back: Sponsor the technology you depend upon, we’ll do the rest. Find an ecosystem using our search and donate a single or recurring sponsorship. We handle everything else. We’ll direct your money (minus a 10% management fee) to maintainers, using the tools they have chosen to manage their finances. We allocate 100% of the donations in every fund with a balance of $1,000 or more, on a monthly basis. Every donation and payment is traceable through both Ecosystem Funds and Open Collective. Donations can be made directly through funds.ecosyste.ms or, if you have an account, on Open Collective. Companies who wish to make a large donation, or start a Fund of their own, can request an Invoice from Open Source Collective — who are already an approved vendor to most large open-source-supporting organisations. ### What’s next? While we’re launching with nearly three hundred Funds we’re certain that we’ll have missed more than a few ecosystems around your favourite framework, tool, or package, and we’re happy to add them. Just get in touch and we’ll do some data wrangling to add it — note that we’re not going to include a Fund for just the projects you work on, that’s what GitHub Sponsors is for. We’re also hugely aware of the limitations of our approach. We’re missing all the standards bodies, documentation projects, and foundations who support open source outside of the dependency graph. We’re also missing domain-specific Funds, there’s no climate, marine, aviation, or space-exploration based Funds to support. To address this we’ll be building ways for communities (and corporations) to package their own Ecosystem Fund, and support it. ### … Just one more thing While building a service to support thousands of the most critical software components might be enough for some, it’s not for us. Over the coming months we’ll be building a tool to track all your open source ‘investments’, to better understand the impact your money is having on the projects you depend on most.

**Today Open Source Collective and ecosyste.ms are launching Funds supporting 291 Open Source Ecosystems. Unsurprisingly, we call them Ecosystem Funds.** A few, short weeks before the holidays we announced Ecosystem Funds; a collaboration between Open Source Collective and ecosyste.ms that makes it easier to support your critical software dependencies. ### What are Ecosystem Funds? Using billions of data points from ecosyste.ms we’ve packaged millions of the most critical open source components into a few hundred Funds centred on a language, framework, or package, turning a process that can take months into a five minute conversation with your CTO. ### What have we been up to? We launched with a $67,500 commitment from Sentry to the Rust, Python, Django and Javascript Ecosystems. We’ve since distributed over 80% of the funds in 375 individual payments to 136 projects. We’ve sent money to projects on GitHub Sponsors, Patreon, BuyMeACoffee, Ko-fi, and of course Open Collective. We contacted hundreds maintainers, asking them to update their ‘funding.yml’ so anyone could support them, for those who didn’t we paid maintainers directly, again through Open Collective. We’re hoping to distribute the remaining funds this month which is why we’re launching Ecosystem Funds to the general public today. ### How does it work? Once again for those in the back: Sponsor the technology you depend upon, we’ll do the rest. Find an ecosystem using our search and donate a single or recurring sponsorship. We handle everything else. We’ll direct your money (minus a 10% management fee) to maintainers, using the tools they have chosen to manage their finances. We allocate 100% of the donations in every fund with a balance of $1,000 or more, on a monthly basis. Every donation and payment is traceable through both Ecosystem Funds and Open Collective. Donations can be made directly through funds.ecosyste.ms or, if you have an account, on Open Collective. Companies who wish to make a large donation, or start a Fund of their own, can request an Invoice from Open Source Collective — who are already an approved vendor to most large open-source-supporting organisations. ### What’s next? While we’re launching with nearly three hundred Funds we’re certain that we’ll have missed more than a few ecosystems around your favourite framework, tool, or package, and we’re happy to add them. Just get in touch and we’ll do some data wrangling to add it — note that we’re not going to include a Fund for just the projects you work on, that’s what GitHub Sponsors is for. We’re also hugely aware of the limitations of our approach. We’re missing all the standards bodies, documentation projects, and foundations who support open source outside of the dependency graph. We’re also missing domain-specific Funds, there’s no climate, marine, aviation, or space-exploration based Funds to support. To address this we’ll be building ways for communities (and corporations) to package their own Ecosystem Fund, and support it. ### … Just one more thing While building a service to support thousands of the most critical software components might be enough for some, it’s not for us. Over the coming months we’ll be building a tool to track all your open source ‘investments’, to better understand the impact your money is having on the projects you depend on most.