Directory Blog

Andrew Nesbitt

Andrew Nesbitt — Open source infrastructure builder, creator of Ecosyste.ms and Libraries.io

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

Even a perfect PR with a note saying 'no rush' creates a low-grade obligation the moment it appears.
Read the full post

nesbitt.io

One of the foremost voices on open source package management and software supply chains. Andrew writes with deep, hands-on knowledge — he built Libraries.io and Ecosyste.ms — and his posts often compare how different language ecosystems solve the same problems. A rare blog that makes dependency management genuinely interesting to read about.

Written by Andrew Nesbitt.

About This Blog

Programming

Activity

Very Active

Publishes multiple times per week

Followers

Full Content

RSS feed includes complete post content for reading in-app

Direct Access

Feed can be fetched directly from your browser

Direct Post Links

Post pages can be loaded directly in the reader

Embeddable

Posts can be displayed inline in the reader view

Collections

This blog appears in the following curated collections.

Security & Privacy

Expert voices on web security, data breaches, and digital rights

What’s Going On with FAIR Package Manager

March 14, 2026

The FAIR package manager started as a response to the 2024 Automattic/WP Engine conflict, when Matt Mullenweg used access to the WordPress.org plugin repository as leverage in a business dispute. Plugin authors and hosting companies watched a single person effectively weaponize the central registry, and FAIR was built to make sure that couldn’t happen again, assembling federated package distribution, cryptographic identity with DIDs and ED25519 signatures, and a labeler system borrowed from Blue...

Forge

March 13, 2026

I keep ending up in the same place. With Libraries.io and ecosyste.ms it was package registries that all do the same thing with different APIs and different metadata formats. With git-pkgs it was lockfile formats. The pattern is always the same: open source infrastructure that does roughly the same job across ecosystems, but with enough differences in the details to make working across all of them painful. So you build a common interface and absorb the differences. Git forges are the same kind...

Reviewing ENISA’s Package Manager Advisory

March 12, 2026

ENISA, the EU’s cybersecurity agency, published a Technical Advisory for Secure Use of Package Managers in March 2026, a 26-page guide aimed at developers consuming third-party packages. I’ve been writing about package management since November 2025 and wanted to see how their recommendations line up with what I’ve found. ENISA ran a public feedback call from December 2025 to January 2026 and received fifteen contributions. I was publishing nearly every day on these same topics during that exac...

git-pkgs/actions

March 11, 2026

Until now git-pkgs has been a local tool, you run it in your terminal to query dependency history, scan for vulnerabilities, check licenses. Getting it into CI meant downloading the binary yourself, initializing the database, and wiring up whatever checks you wanted by hand. git-pkgs/actions is a set of reusable GitHub Actions that handle all of that. A setup action downloads the binary and initializes the database, and the rest build on top of it. A dependency diff on pull requests is three li...

Just Use Postgres

March 10, 2026

A couple of weeks ago I wrote about storing git repositories in Postgres and built gitgres to prove it worked. Two tables, some PL/pgSQL, a libgit2 backend, and you could push to and clone from a database. The post ended with a missing piece: the server-side pack protocol, the part that lets a Postgres instance serve git push and git clone over HTTP without a separate application in front of it. I built that missing piece as omni_git, a Postgres extension that implements the git smart HTTP prot...

Similar Blogs

If you enjoy Andrew Nesbitt, you might also like these blogs.