Latest posts
- Standing on the shoulders of HomebrewApr 14, 2026Andrew Nesbitt
zerobrew and nanobrew have been doing the rounds as fast alternatives to Homebrew, one written in Rust with the tagline “uv-style architecture for Homebrew packages” and the other in Zig with a 1.2 MB static binary and a benchmark table comparing itself favourably against the first. Both are upfront, once you scroll past the speedup numbers, that they resolve dependencies against homebrew-core, do
- Common Package SpecificationApr 13, 2026Andrew Nesbitt
The Common Package Specification went stable in CMake 4.3 last year and the name caught my attention because it sounds like it might be addressing the cross-ecosystem dependency problem I’ve written about before. Reading the spec, the “common” turns out to mean common across build systems rather than common across language ecosystems: it’s a JSON format that CMake and Meson and autotools can all r
- Package Registries and PaginationApr 10, 2026Andrew Nesbitt
Package registries return every version a package has ever published in a single response, with no way to ask for less. The API formats were designed ten to twenty years ago when packages had tens of versions, not thousands, and they haven’t changed even as the ecosystems grew by orders of magnitude around them. npm’s registry API dates to 2010 when there were a few hundred packages on the registr
- Package Security Defenses for AI AgentsApr 09, 2026Andrew Nesbitt
Yesterday I wrote about the package security problems AI agents face: typosquatting, registry poisoning, lockfile manipulation, install-time code execution, credential theft, and cascading failures through the dependency graph. Agents inherit all the old package security problems but resolve, install, and propagate faster than any human can review. There’s no silver bullet for securing agent codin
- Package Security Problems for AI AgentsApr 08, 2026Andrew Nesbitt
I went through the recent OWASP Top 10 for Agentic Applications and pulled out the scenarios related to package management, which turn up in all ten categories and don’t sort neatly into any one of them, since a typosquatted MCP server is simultaneously a name attack, a registry attack, and a metadata poisoning vector. Package name attacks Typosquatting and namespace confusion are some of the olde
- Who Built This?Apr 07, 2026Andrew Nesbitt
Michael Stapelberg wrote last week about Go’s automatic VCS stamping: since Go 1.18, every binary built from a git checkout embeds the commit hash, timestamp, and dirty flag, queryable with go version -m or runtime/debug.ReadBuildInfo() at runtime. His argument is that every program should do this, so you can always answer “what version is running in production?” without guessing. Go is unusual in
- The Cathedral and the CatacombsApr 06, 2026Andrew Nesbitt
Eric Raymond’s The Cathedral and the Bazaar is almost thirty years old and people are still finding new ways to extend the metaphor. Drew Breunig recently described a third mode, the Winchester Mystery House, for the sprawling codebases that agentic AI produces: rooms that lead nowhere, staircases into ceilings, a single builder with no plan. That piece got me thinking, though it shares a blind sp
- What does Open Source mean?Apr 04, 2026Andrew Nesbitt
Every few months someone declares that “X will kill open source” or that “open source is not sustainable” or that “open source won”, and every time the responses split into factions that seem to be having completely different conversations. People have been pointing this out for at least a decade. Replacement terms like “post-open source” never stuck, because the problem isn’t the label. The phras
- Package Manager Easter EggsApr 03, 2026Andrew Nesbitt
It’s Easter, so here’s a tour of the easter eggs hiding inside package managers. The very first known easter egg in software dates back to 1967-68 on the PDP-6/PDP-10, where typing make love at the TOPS-10 operating system’s COMPIL program would pause and respond “not war?” before creating the file. apt and friends A cow-shaped thread runs through the history of system package managers, starting w
- npm’s Defaults Are BadMar 31, 2026Andrew Nesbitt
Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conv