Directory Blog

Andrew Nesbitt

Andrew Nesbitt — Open source infrastructure builder, creator of Ecosyste.ms and Libraries.io

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

Even a perfect PR with a note saying 'no rush' creates a low-grade obligation the moment it appears.
Read the full post

nesbitt.io

One of the foremost voices on open source package management and software supply chains. Andrew writes with deep, hands-on knowledge — he built Libraries.io and Ecosyste.ms — and his posts often compare how different language ecosystems solve the same problems. A rare blog that makes dependency management genuinely interesting to read about.

Written by Andrew Nesbitt.

About This Blog

Programming

Activity

Very Active

Publishes multiple times per week

Followers

Full Content

RSS feed includes complete post content for reading in-app

Direct Access

Feed can be fetched directly from your browser

Direct Post Links

Post pages can be loaded directly in the reader

Embeddable

Posts can be displayed inline in the reader view

Collections

This blog appears in the following curated collections.

Security & Privacy

Expert voices on web security, data breaches, and digital rights

Package Managers Need to Cool Down

March 4, 2026

This post was requested by Seth Larson, who asked if I could do a breakdown of dependency cooldowns across package managers. His framing: all tools should support a globally-configurable exclude-newer-than=<relative duration> like 7d, to bring the response times for autonomous exploitation back into the realm of human intervention. When an attacker compromises a maintainer’s credentials or takes over a dormant package, they publish a malicious version and wait for automated tooling to pul...

Package Management is Naming All the Way Down

March 3, 2026

Package managers are usually described by what they do: resolve dependencies, download code, build artifacts. But if you look at the structure of the system instead of the process, nearly every part of it is a naming problem, and the whole thing works because we’ve agreed on how to interpret strings at each layer and because a registry sits in the middle translating between them. Registries When you run gem install rails, the client needs to know where to look. RubyGems defaults to rubygems.or...

Transitive Trust

March 2, 2026

Ken Thompson’s 1984 Turing Award lecture, Reflections on Trusting Trust, described a C compiler modified to insert a backdoor into the login program, then modified again so the compiler would replicate the backdoor in future versions of itself without any trace in the source. The source was clean, the binary was compromised, and the only way to discover the backdoor was to rebuild the entire compiler toolchain from scratch and compare the output, which nobody was going to do. The explosion of o...

Downstream Testing

March 1, 2026

The information about how a library is actually used lives in the dependents’ code, not in the library’s own tests or docs. Someone downstream is parsing your error messages with a regex, or relying on the iteration order of a result set you never documented, or depending on a method you consider internal because it wasn’t marked private in a language that doesn’t enforce visibility. Hyrum’s Law says all of these implicit contracts exist once you have enough users, and semver can’t help because...

npm Data Subject Access Request

February 28, 2026

From: Data Protection Officer, npm, Inc. (a subsidiary of GitHub, Inc., a subsidiary of Microsoft Corporation) To: [REDACTED] Date: 26 February 2026 Re: Data Subject Access Request (Ref: DSAR-2026-0041573) Response deadline: Exceeded (statutory: 30 days) Dear Data Subject, Thank you for your request under Article 15 of the General Data Protection Regulation (EU) 2016/679 to access all personal data we hold about you. We apologize for the delay in responding. Your request was initially routed...

Similar Blogs

If you enjoy Andrew Nesbitt, you might also like these blogs.