Blog Directory
Directory Blog

Andrew Nesbitt

Andrew Nesbitt — Open source infrastructure builder, creator of Ecosyste.ms and Libraries.io

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

Even a perfect PR with a note saying 'no rush' creates a low-grade obligation the moment it appears.

nesbitt.io

One of the foremost voices on open source package management and software supply chains. Andrew writes with deep, hands-on knowledge — he built Libraries.io and Ecosyste.ms — and his posts often compare how different language ecosystems solve the same problems. A rare blog that makes dependency management genuinely interesting to read about.

Written by Andrew Nesbitt.

About This Blog
Activity

Very Active

Publishes multiple times per week

Followers

4

Category

Independent Blog

Languages

English

Feed Accessibility

How this blog's content is accessed through Blogs Are Back.

Full Content

RSS feed includes complete post content for reading in-app

Direct Access

Feed can be fetched directly from your browser

Direct Post Links

Post pages can be loaded directly in the reader

Embeddable

Posts can be displayed inline in the reader view

Collections

This blog appears in the following curated collections.

Security & Privacy

Expert voices on web security, data breaches, and digital rights

Latest Posts

Recent posts from Andrew Nesbitt's RSS feed.

Package Manager Patents

Patents and applications relevant to package manager design, grouped by area. Mostly US filings, found through Google Patents searches on the obvious terms. Each entry lists the assignee, filing and grant dates, and current status, followed by a short summary of the core claim and a prior-art note where open-source predecessors are well-documented. Manifests and dependency resolution US6381742B2 - Software package management. Microsoft. Filed June 1998, granted 2002, expired 2018. Claims a dis...

This Week in Package Management: 6 June 2026

Third week of the roundup, built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon. Five new project blog feeds and the NixOS announcements feed landed in the OPML this week. Security Bundler 4.0.13 ships Cooldown, a configurable time window that holds back resolution to gem versions younger than N days, so a freshly published malicious release ages past the window before a bundle install will pick it up. The companion RubyGems 4.0.13 release blocks...

Install-script allowlists

In most package managers a dependency’s install-time code runs by default the moment you install it: an npm postinstall, a Setuptools setup.py, a CPAN Makefile.PL, an RPM scriptlet, a Conda post-link, a Debian postinst. A handful require explicit per-package opt-in before any of that code runs, usually called an allowlist or a trusted-dependencies list depending on the tool. Per-package opt-in lists name which dependencies may run their install code: npm, pnpm, Bun, Deno, and Composer plugins a...

gittuf - a signed log for git refs

Commit signatures are part of git. Branch protection isn’t. It’s a row in a database run by the forge, checked by the forge’s API before accepting a push. Most of the interesting source-repository attacks have landed in the gap between the two. What the forge enforces Branch protection, required reviews, CODEOWNERS, merge queues, status checks, required signatures: every one is administered by the forge, and none follow the repository when you clone it. A server presenting the repository can s...

Skills Registry Threat Models

Agent skills bundle prompts, scripts, dependencies, and tool permissions for AI agents to load on demand. A skills registry is the distribution channel for them: a hosted marketplace, an indexed hub, or in many cases just a curated list of GitHub repos. ClawHub, Tessl, and skills.sh have all launched in the past year, mostly modelled on existing package registries. Because a skill can declare dependencies on packages from npm, pip, cargo, brew, go, apt, or anything else, often several at once,...

Similar Blogs

If you enjoy Andrew Nesbitt, you might also like these blogs.

F

Filippo Valsorda

words.filippo.io

Go security team member writing about cryptography and open source maintenance.

Seth Larson

sethmlarson.dev

Python security and open source infrastructure, plus retro gaming preservation and emulation.

T

the website of jyn

jyn.dev

Technical blog on build systems, Rust, developer tools, and the human side of software engineering.

L

Lukáš Lalinský

lalinsky.com

Creator of AcoustID and Picard, writing about music tech and Python.

Follow Andrew Nesbitt

If you care about how open source software actually gets distributed, maintained, and sustained, Andrew's perspective is essential reading.

Follow on Blogs Are BackVisit Blog
https://nesbitt.io/feed.xml