Latest posts
- The Many Flavors of Ignore FilesFeb 12, 2026Andrew Nesbitt
A bug report in git-pkgs led me down a rabbit hole: files that git ignored were showing up as phantom diffs, and the cause turned out to be go-git’s gitignore implementation, which doesn’t match git’s actual behavior for unanchored patterns in nested directories. I went looking for a Go library that fully matched git’s pattern semantics and couldn’t find one, so I wrote git-pkgs/gitignore with a w
- Package Management ConsultingFeb 11, 2026Andrew Nesbitt
I’m now taking on consulting work. If you’re building or running a package manager, registry, or dependency tooling, I can probably help. Over fifteen years I’ve built Libraries.io, Ecosyste.ms, git-pkgs, the Manifest podcast, co-organised the Package Management devroom at FOSDEM, and contributed to Homebrew. I’ve written integrations for dozens of package managers, tracked billions of dependency
- Lockfiles Killed VendoringFeb 10, 2026Andrew Nesbitt
Whilst I was implementing a vendor command in git-pkgs, I noticed that not many package manager clients have native vendoring commands. Go has go mod vendor, Cargo has cargo vendor, and Bundler has bundle cache. That’s most of the first-class support I could find, which surprised me for something that used to be the dominant way to manage dependencies. So I went looking for what happened. Vendorin
- Package Manager Podcast EpisodesFeb 09, 2026Andrew Nesbitt
Like the blog posts and papers collections, this is a running list of podcast episodes where people who build and maintain package managers talk about their work. Grouped by ecosystem, with a few cross-cutting episodes at the end. The Manifest (manifest.fm) is a podcast dedicated entirely to package management, hosted by Alex Pounds and me. I’ve listed its episodes under the relevant ecosystems be
- Sandwich Bill of MaterialsFeb 08, 2026Andrew Nesbitt
Specification: SBOM 1.0 (Sandwich Bill of Materials) Status: Draft Maintainer: The SBOM Working Group License: MIT (Mustard Is Transferable) Abstract Modern sandwich construction relies on a complex graph of transitive ingredients sourced from multiple registries (farms, distributors, markets). Consumers have no standardized way to enumerate the components of their lunch, assess ingredient provena
- Dependency Resolution MethodsFeb 06, 2026Andrew Nesbitt
Every package manager faces the same core problem: given a set of packages with version constraints, find a compatible set of versions to install. The classic example is the diamond dependency: A depends on B and C, both of which depend on D but at incompatible versions. The resolver has to find a version of D that satisfies both, prove that none exists, or find some other way out. Di Cosmo et al.
- Crates.io’s Freaky FridayFeb 06, 2026Andrew Nesbitt
The maintainers of crates.io wake up Friday morning to find their registry has swapped design philosophies with Debian. They still serve the Rust ecosystem, Debian still serves Linux distributions, but the tradeoffs they’ve chosen have reversed. Like Tess and Anna in Freaky Friday, they’re stuck in each other’s bodies, forced to navigate constraints they’ve spent years criticizing from the outside
- Git’s Magic FilesFeb 05, 2026Andrew Nesbitt
A follow-up to my post on extending git functionality. Git looks for several special files in your repository that control its behavior. These aren’t configuration files in .git/, they’re committed files that travel with your code and affect how git treats your files. If you’re building a tool that works with git repositories, like git-pkgs, you’ll want to ensure you respect these configs. .gitign
- Package Management at FOSDEM 2026Feb 04, 2026Andrew Nesbitt
FOSDEM 2026 ran last weekend in Brussels with its usual dense schedule of talks across open source projects and communities. Package management had a strong presence again this year, with a dedicated devroom plus related content scattered across the Distributions, Nix and NixOS, and SBOMs and Supply Chains tracks. Main Track Talks Kenneth Hoste presented How to Make Package Managers Scream, a foll
- Incident Report: CVE-2024-YIKESFeb 03, 2026Andrew Nesbitt
Report filed: 03:47 UTC Status: Resolved (accidentally) Severity: Critical → Catastrophic → Somehow Fine Duration: 73 hours Affected systems: Yes Executive Summary: A security incident occurred. It has been resolved. We take security seriously. Please see previous 14 incident reports for details on how seriously. Summary A compromised dependency in the JavaScript ecosystem led to credential theft,