About 112 results
https://nesbitt.io/2025/12/25/cursed-bundler-using-go-get-to-install-ruby-gems.html · 25 Dec 2025
Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
https://nesbitt.io/2025/12/24/package-managers-keep-using-git-as-a-database.html · 24 Dec 2025
Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html · 23 Dec 2025
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
https://nesbitt.io/2025/12/22/package-registries-are-governance-as-a-service.html · 22 Dec 2025
Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
https://nesbitt.io/2025/12/21/federated-package-management.html · 21 Dec 2025
The trade-offs that make decentralized package management impractical
https://nesbitt.io/2025/12/20/fosdem-2026-package-managers-devroom-schedule.html · 20 Dec 2025
Nine talks on supply chain security, dependency resolution, and registry economics
https://nesbitt.io/2025/12/19/why-javascript-needed-docker.html · 19 Dec 2025
How Docker became JavaScript's real lockfile
https://nesbitt.io/2025/12/18/docker-is-the-lockfile-for-system-packages.html · 18 Dec 2025
Why Docker filled the reproducibility gap that system package managers left open
https://nesbitt.io/2025/12/17/typosquatting-in-package-managers.html · 17 Dec 2025
A reference guide to typosquatting techniques, real-world examples, and detection tools.
https://nesbitt.io/2025/12/15/how-i-assess-open-source-libraries.html · 15 Dec 2025
What I actually look at when deciding whether to adopt a dependency.