Latest posts
- This Week in Package Management: 11 July 2026Jul 11, 2026Andrew Nesbitt
Week eight of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases npm 12.0.0 is out. allow-git and allow-remote now default to none, so installing git dependencies or user-supplied tarball URLs needs explicit opt-in. npm shrinkwrap is removed and npm-shrinkwrap.json is no longer honoured at the project root or inside dependency
- Package Management as Org ChartJul 10, 2026Andrew Nesbitt
Conway’s Law says organisations produce systems that copy their own communication structure. Dependency management tooling is part of the system. A resolution strategy is an opinion about how disagreements get settled; a manifest format records who is allowed to depend on whom. Monorepo, single version policy: every package in the tree must agree on one version of each dependency; upgrading anythi
- Unboxed: ZigJul 09, 2026Andrew Nesbitt
This is the first in a series of posts working through individual package managers against a fixed set of headings, so they can be compared directly. The headings come from earlier posts: the client and registry categorisations, the governance post, and the threat model. Zig’s package manager has been built into the zig binary since 0.11 in August 2023, with no separate tool and no central registr
- Content addressing in package managersJul 07, 2026Andrew Nesbitt
Content addressing identifies a piece of data by a cryptographic hash of its contents rather than by a name or a location. Two copies of the same bytes get the same identifier wherever they came from, a single changed bit produces a completely different one, and because the identifier is derived from the data itself it works as a lookup key and an integrity check at the same time. I keep running i
- This Week in Package Management: 4 July 2026Jul 04, 2026Andrew Nesbitt
Week seven of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Hex 2.5.0 adds organisation-defined dependency policies: an organisation publishes a named policy through its repository, a project opts in via HEX_POLICY or the :hex block in mix.exs, and resolution then filters out versions that carry an advisory above a given
- The CRA is not about open sourceJul 01, 2026Andrew Nesbitt
At FOSDEM in February and again at UN Open Source Week last week, the Cyber Resilience Act was the answer on offer whenever anyone asked what governments are doing about open source security, and the foundations and corporate advocates presenting it framed it as good news for open source. It is the largest piece of software legislation the EU has passed, the open source community spent two years l
- Taking Roads and Bridges literallyJun 30, 2026Andrew Nesbitt
I spent last week at UN Open Source Week, where officials from a dozen governments stood up in turn and described open source as critical infrastructure. That framing has been the standard one since Nadia Eghbal’s Roads and Bridges report for the Ford Foundation in 2016, and after ten years it has finally reached the audience it describes. Sitting in a UN conference room full of people whose job i
- Unbundling the standard libraryJun 29, 2026Andrew Nesbitt
I got sent a link to a pull request against Dan Burton’s composition, a tiny Haskell package whose whole gimmick is that it depends on nothing, not even base. The upcoming GHC 10.2 breaks it: built-in names resolve through a real module, GHC.Essentials, which is in base, so from 10.2 every package picks up an implicit base dependency whether the cabal file declares one or not. The PR added a flag
- This Week in Package Management: 27 June 2026Jun 27, 2026Andrew Nesbitt
Week six of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Releases Spack 1.2.0 makes the rewritten parallel installer the default, adds concretization groups and concretization caching, and ships SBOM generation alongside experimental build sandboxing and a spack isolate command. pnpm 11.9 computes a tarball’s integrity from the d
- Incident Report: CVE-2026-LGTMJun 26, 2026Andrew Nesbitt
Report filed: 04:13 UTC Status: Resolved (by treaty) Severity: Informational → Critical → Withdrawn → Critical → Negotiated Duration: 96 hours (billable: 2.1 trillion tokens) Affected systems: All of them, plus several we do not own Executive Summary: A security incident occurred. Our AI-augmented defence-in-depth strategy, deployed in direct response to CVE-2024-YIKES, performed exactly as config