Reading the tea leaves

A reference list of patents and applications relevant to package manager design, with notes on prior art.

Releases, advisories, and articles from across the package management world

A survey of install-script allowlist mechanisms across package managers and language ecosystems.

How long until we see a CVE filed against a markdown file?

Releases, advisories, and articles from across the package management world

uBlock Origin for composer install

brew install spack install conda install cargo install uv tool install pip install poetry add pdm add conan

TUF, in-toto, and Sigstore only look pointless while nothing is on fire

Releases, advisories, and articles from across the package management world

A survey of unused-dependency detectors

apt install -t unstable, but make it your whole personality

A lightweight multi-ecosystem caching package proxy

The cards do not lie.

The non-CVE half of package manager security

Recurring weakness classes in package managers

Giving dependencies the same treatment the fork got

What to do when upstream ghosts you

Anne Robinson would like a word with .github/workflows

Denial, anger, bargaining, depression, acceptance, postinstall.

What happens when users design their own package registry frontend

Like the Turing test but with more tacos.

Rewriting the easy parts of Homebrew.

Not the cross-ecosystem format the name suggests.

100MB of metadata for 10,451 versions.

Lockfiles, sandboxes, and cooldown timers.

Packages all the way down, agents all the way up.

Tracing a dependency back to its source commit.

A tour of the easter eggs hiding inside package managers.

The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.