[{"data":1,"prerenderedAt":494},["ShallowReactive",2],{"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns":3,"\u002Fideas":8},["Island",4],{"key":5,"result":6},"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns",{"head":7},{},[9,18,26,33,39,47,53,60,66,72,79,85,91,98,104,110,116,122,128,134,140,146,152,158,165,171,177,183,189,195,201,207,213,219,225,230,236,242,248,254,260,266,272,278,284,290,296,302,308,314,320,327,333,339,345,351,357,363,368,374,380,386,392,398,404,410,416,422,428,434,440,446,452,458,464,470,476,482,488],{"path":10,"title":11,"description":12,"authors":13,"date":15,"category":16,"featured":17},"\u002Fideas\u002Fospos-impact-funding","How OSPOs can Measure the Impact of OSS Funding","Measuring the impact of open source funding can help justify future rounds of funding",[14],"dawn","2026-06-02","funding-tech-infrastructure",false,{"path":19,"title":20,"description":21,"authors":22,"date":24,"category":25,"featured":17},"\u002Fideas\u002Fgithub-actions-security-in-python-packages","GitHub Actions security in Python packages","Thank you Dr. Zizmor",[23],"andrew","2026-05-25","software-supply-chains",{"path":27,"title":28,"description":29,"authors":30,"date":31,"category":32,"featured":17},"\u002Fideas\u002Fsigning-is-for-the-bad-days","Signing is for the bad days","TUF, in-toto, and Sigstore only look pointless while nothing is on fire",[23],"2026-05-24","package-management",{"path":34,"title":35,"description":36,"authors":37,"date":38,"category":25,"featured":17},"\u002Fideas\u002Fdependency-pruning","Dependency Pruning","A survey of unused-dependency detectors",[23],"2026-05-22",{"path":40,"title":41,"description":42,"authors":43,"date":45,"category":46,"featured":17},"\u002Fideas\u002Fnvim-treesitter-burnout","Open Source Burnout Claims Another Project","Yet another OSS maintainer quits because of burnout. To fix this, we need better mental health resources for maintainers.",[44],"vlad","2026-05-20","maintainer-well-being",{"path":48,"title":49,"description":50,"authors":51,"date":52,"category":32,"featured":17},"\u002Fideas\u002Flanguage-registries-are-unstable-by-default","Language Registries Are Unstable by Default","apt install -t unstable, but make it your whole personality",[23],"2026-05-15",{"path":54,"title":55,"description":56,"authors":57,"date":58,"category":59,"featured":17},"\u002Fideas\u002Fcentrality-is-not-vitality","Centrality is not vitality","Don't automatically reach for PageRank on dependency graphs",[23],"2026-05-14","software-metrics",{"path":61,"title":62,"description":63,"authors":64,"date":65,"category":25,"featured":17},"\u002Fideas\u002Fnot-a-security-issue","Not a Security Issue","How curl's disclosure policy filtered an AI scanner's findings at source",[23],"2026-05-12",{"path":67,"title":68,"description":69,"authors":70,"date":71,"category":59,"featured":17},"\u002Fideas\u002Fthe-mismeasure-of-open-source","The Mismeasure of Open Source","The streetlight effect in project-health scoring",[23],"2026-05-09",{"path":73,"title":74,"description":75,"authors":76,"date":77,"category":25,"featured":78},"\u002Fideas\u002Fweekend-at-bernies","Weekend at Bernie's","Which of your dependencies are wearing sunglasses",[23],"2026-05-08",true,{"path":80,"title":81,"description":82,"authors":83,"date":84,"category":25,"featured":17},"\u002Fideas\u002Ffree-as-in-tribbles","Free as in Tribbles","The next metaphor after free-as-in-puppy",[23],"2026-05-07",{"path":86,"title":87,"description":88,"authors":89,"date":90,"category":25,"featured":17},"\u002Fideas\u002Frevisiting-the-2015-open-source-census","Revisiting the 2015 Open Source Census","The riskiest projects in open source, scored a decade early",[23],"2026-05-06",{"path":92,"title":93,"description":94,"authors":95,"date":96,"category":97,"featured":17},"\u002Fideas\u002Fa-github-for-maintainers","A GitHub for maintainers","Giving dependencies the same treatment the fork got",[23],"2026-05-02","tooling",{"path":99,"title":100,"description":101,"authors":102,"date":103,"category":32,"featured":17},"\u002Fideas\u002Fpatching-and-forking-in-package-managers","Patching and forking in package managers","What to do when upstream ghosts you",[23],"2026-05-01",{"path":105,"title":106,"description":107,"authors":108,"date":109,"category":25,"featured":17},"\u002Fideas\u002Fgithub-actions-is-the-weakest-link","GitHub Actions is the weakest link","Anne Robinson would like a word with .github\u002Fworkflows",[23],"2026-04-28",{"path":111,"title":112,"description":113,"authors":114,"date":115,"category":32,"featured":17},"\u002Fideas\u002Fthe-stages-of-package-installation","The stages of package installation","Denial, anger, bargaining, depression, acceptance, postinstall.",[23],"2026-04-27",{"path":117,"title":118,"description":119,"authors":120,"date":121,"category":97,"featured":17},"\u002Fideas\u002Ffeatures-everyone-should-steal-from-npmx","Features everyone should steal from npmx","What happens when users design their own package registry frontend",[23],"2026-04-16",{"path":123,"title":124,"description":125,"authors":126,"date":127,"category":32,"featured":17},"\u002Fideas\u002Fthe-tuesday-test","The Tuesday Test","Like the Turing test but with more tacos.",[23],"2026-04-15",{"path":129,"title":130,"description":131,"authors":132,"date":133,"category":32,"featured":17},"\u002Fideas\u002Fstanding-on-the-shoulders-of-homebrew","Standing on the shoulders of Homebrew","Rewriting the easy parts of Homebrew.",[23],"2026-04-14",{"path":135,"title":136,"description":137,"authors":138,"date":139,"category":32,"featured":17},"\u002Fideas\u002Fcommon-package-specification","Common Package Specification","Not the cross-ecosystem format the name suggests.",[23],"2026-04-13",{"path":141,"title":142,"description":143,"authors":144,"date":145,"category":32,"featured":17},"\u002Fideas\u002Fpackage-registries-and-pagination","Package Registries and Pagination","100MB of metadata for 10,451 versions.",[23],"2026-04-10",{"path":147,"title":148,"description":149,"authors":150,"date":151,"category":25,"featured":17},"\u002Fideas\u002Fwho-built-this","Who Built This?","Tracing a dependency back to its source commit.",[23],"2026-04-07",{"path":153,"title":154,"description":155,"authors":156,"date":157,"category":25,"featured":17},"\u002Fideas\u002Fthe-cathedral-and-the-catacombs","The Cathedral and the Catacombs","Stretching a metaphor deep into the floor.",[23],"2026-04-06",{"path":159,"title":160,"description":161,"authors":162,"date":163,"category":164,"featured":17},"\u002Fideas\u002Fwhat-does-open-source-mean","What does Open Source mean?","A stack of incompatible expectations.",[23],"2026-04-04","philosophy",{"path":166,"title":167,"description":168,"authors":169,"date":170,"category":97,"featured":17},"\u002Fideas\u002Fpackage-manager-easter-eggs","Package Manager Easter Eggs","A tour of the easter eggs hiding inside package managers.",[23],"2026-04-03",{"path":172,"title":173,"description":174,"authors":175,"date":176,"category":32,"featured":17},"\u002Fideas\u002Fnpms-defaults-are-bad","npm's Defaults Are Bad","The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.",[23],"2026-03-31",{"path":178,"title":179,"description":180,"authors":181,"date":182,"category":97,"featured":17},"\u002Fideas\u002Fgit-diff-drivers","Git Diff Drivers","What git's diff drivers can do, from built-in language support to custom textconv filters.",[23],"2026-03-30",{"path":184,"title":185,"description":186,"authors":187,"date":188,"category":25,"featured":17},"\u002Fideas\u002Fthe-fragmented-world-of-dependency-policy","The Fragmented World of Dependency Policy","Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.",[23],"2026-03-19",{"path":190,"title":191,"description":192,"authors":193,"date":194,"category":32,"featured":17},"\u002Fideas\u002Fwhats-going-on-with-fair-package-manager","What's Going On with FAIR Package Manager","Federated FAIR pivots from WordPress to TYPO3",[23],"2026-03-14",{"path":196,"title":197,"description":198,"authors":199,"date":200,"category":25,"featured":17},"\u002Fideas\u002Freviewing-enisas-package-manager-advisory","Reviewing ENISA's Package Manager Advisory","Notes on ENISA's Technical Advisory for Secure Use of Package Managers.",[23],"2026-03-12",{"path":202,"title":203,"description":204,"authors":205,"date":206,"category":32,"featured":17},"\u002Fideas\u002Fif-it-quacks-like-a-package-manager","If It Quacks Like a Package Manager","Some tools waddle like package managers without learning to swim.",[23],"2026-03-08",{"path":208,"title":209,"description":210,"authors":211,"date":212,"category":97,"featured":17},"\u002Fideas\u002Fgitlocal",".gitlocal","Git Should Let Files Ignore Themselves",[23],"2026-03-06",{"path":214,"title":215,"description":216,"authors":217,"date":218,"category":32,"featured":17},"\u002Fideas\u002Fpackage-managers-need-to-cool-down","Package Managers Need to Cool Down","A survey of dependency cooldown support across package managers and update tools.",[23],"2026-03-04",{"path":220,"title":221,"description":222,"authors":223,"date":224,"category":164,"featured":17},"\u002Fideas\u002Fnpmx-a-lesson-in-open-source-collaboration-feedback-loops","npmx: A Lesson in Open Source's Collaboration Feedback Loops","npmx's success is reminding us why Open Source is such a special social phenomenon.",[44],"2026-03-03",{"path":226,"title":227,"description":228,"authors":229,"date":224,"category":32,"featured":17},"\u002Fideas\u002Fpackage-management-is-naming-all-the-way-down","Package Management is Naming All the Way Down","There are two hard problems in computer science, and package managers found at least eight of them.",[23],{"path":231,"title":232,"description":233,"authors":234,"date":235,"category":25,"featured":17},"\u002Fideas\u002Ftransitive-trust","Transitive Trust","You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?",[23],"2026-03-02",{"path":237,"title":238,"description":239,"authors":240,"date":241,"category":25,"featured":17},"\u002Fideas\u002Fdownstream-testing","Downstream Testing","Most library maintainers have no way to test against their dependents before releasing.",[23],"2026-03-01",{"path":243,"title":244,"description":245,"authors":246,"date":247,"category":25,"featured":17},"\u002Fideas\u002Ftwo-kinds-of-attestation","Two Kinds of Attestation","The oldest problem in computer science, but with toasters.",[23],"2026-02-25",{"path":249,"title":250,"description":251,"authors":252,"date":253,"category":32,"featured":17},"\u002Fideas\u002Freproducible-builds-in-language-package-managers","Reproducible Builds in Language Package Managers","Verifying that a published package was actually built from the source it claims.",[23],"2026-02-24",{"path":255,"title":256,"description":257,"authors":258,"date":259,"category":32,"featured":17},"\u002Fideas\u002Fwhere-do-specifications-fit-in-the-dependency-tree","Where Do Specifications Fit in the Dependency Tree?","RFC 9110 is a phantom dependency with thousands of transitive dependents.",[23],"2026-02-23",{"path":261,"title":262,"description":263,"authors":264,"date":265,"category":164,"featured":17},"\u002Fideas\u002Fwhale-fall","Whale Fall","What happens when a large open source project dies.",[23],"2026-02-21",{"path":267,"title":268,"description":269,"authors":270,"date":271,"category":32,"featured":17},"\u002Fideas\u002Fwhat-package-registries-could-borrow-from-oci","What Package Registries Could Borrow from OCI","OCI's storage primitives applied to package management.",[23],"2026-02-18",{"path":273,"title":274,"description":275,"authors":276,"date":277,"category":32,"featured":17},"\u002Fideas\u002Fseparating-download-from-install-in-docker-builds","Separating Download from Install in Docker Builds","Most package managers could separate download from install for better Docker layer caching.",[23],"2026-02-15",{"path":279,"title":280,"description":281,"authors":282,"date":283,"category":46,"featured":17},"\u002Fideas\u002Frespectful-open-source","Respectful Open Source","Maintainer attention as a finite resource.",[23],"2026-02-13",{"path":285,"title":286,"description":287,"authors":288,"date":289,"category":32,"featured":17},"\u002Fideas\u002Flockfiles-killed-vendoring","Lockfiles Killed Vendoring","Why almost nobody vendors their dependencies anymore.",[23],"2026-02-10",{"path":291,"title":292,"description":293,"authors":294,"date":295,"category":32,"featured":17},"\u002Fideas\u002Fpackage-manager-podcast-episodes","Package Manager Podcast Episodes","A reference list of podcast episodes about package managers, grouped by ecosystem.",[23],"2026-02-09",{"path":297,"title":298,"description":299,"authors":300,"date":301,"category":32,"featured":17},"\u002Fideas\u002Fcratesio-freaky-friday","Crates.io's Freaky Friday","What happens when Rust's package registry wakes up with Debian's design choices?",[23],"2026-02-06",{"path":303,"title":304,"description":305,"authors":306,"date":307,"category":32,"featured":17},"\u002Fideas\u002Fpackage-management-at-fosdem-2026","Package Management at FOSDEM 2026","Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.",[23],"2026-02-04",{"path":309,"title":310,"description":311,"authors":312,"date":313,"category":32,"featured":17},"\u002Fideas\u002Fwill-ai-make-package-managers-redundant","Will AI Make Package Managers Redundant?","Following the prompt registry idea to its logical conclusion.",[23],"2026-01-30",{"path":315,"title":316,"description":317,"authors":318,"date":319,"category":32,"featured":17},"\u002Fideas\u002Fzig-and-the-mxn-supply-chain-problem","Zig and the M×N Supply Chain Problem","Zig's long road to supply chain security.",[23],"2026-01-29",{"path":321,"title":322,"description":323,"authors":324,"date":325,"category":326,"featured":17},"\u002Fideas\u002Fthe-dependency-layer-in-digital-sovereignty","The Dependency Layer in Digital Sovereignty","Where package management fits in the digital sovereignty discussion.",[23],"2026-01-28","governance",{"path":328,"title":329,"description":330,"authors":331,"date":332,"category":25,"featured":17},"\u002Fideas\u002Fthe-c-shaped-hole-in-package-management","The C-Shaped Hole in Package Management","System package managers and language package managers are solving different problems that happen to overlap in the middle.",[23],"2026-01-27",{"path":334,"title":335,"description":336,"authors":337,"date":338,"category":32,"featured":17},"\u002Fideas\u002Fpkgfed-activitypub-for-package-releases","PkgFed: ActivityPub for Package Releases","Follow serde@crates.io from your Mastodon account",[23],"2026-01-25",{"path":340,"title":341,"description":342,"authors":343,"date":344,"category":97,"featured":17},"\u002Fideas\u002Frewriting-git-pkgs-in-go","Rewriting git-pkgs in Go","The dependency history tool is now a single Go binary.",[23],"2026-01-24",{"path":346,"title":347,"description":348,"authors":349,"date":350,"category":32,"featured":17},"\u002Fideas\u002Fpackage-management-is-a-wicked-problem","Package Management is a Wicked Problem","Why fixing package managers is harder than it looks.",[23],"2026-01-23",{"path":352,"title":353,"description":354,"authors":355,"date":356,"category":32,"featured":17},"\u002Fideas\u002Fa-protocol-for-package-management","A Protocol for Package Management","A shared vocabulary for resolution, publishing, and governance across ecosystems.",[23],"2026-01-22",{"path":358,"title":359,"description":360,"authors":361,"date":362,"category":32,"featured":17},"\u002Fideas\u002Fa-jepsen-test-for-package-managers","A Jepsen Test for Package Managers","Applying Jepsen-style adversarial testing to package managers.",[23],"2026-01-19",{"path":364,"title":365,"description":366,"authors":367,"date":362,"category":32,"featured":17},"\u002Fideas\u002Fimportmap-lock","importmap.lock: a lockfile for the web","Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.",[23],{"path":369,"title":370,"description":371,"authors":372,"date":373,"category":32,"featured":17},"\u002Fideas\u002Fworkspaces-and-monorepos-in-package-managers","Workspaces and Monorepos in Package Managers","How various package managers implement workspaces and their relationship with monorepos.",[23],"2026-01-18",{"path":375,"title":376,"description":377,"authors":378,"date":379,"category":97,"featured":17},"\u002Fideas\u002Fmaking-git-pkgs-feel-like-git","Making git-pkgs feel like Git","What it takes to make a git subcommand feel native.",[23],"2026-01-04",{"path":381,"title":382,"description":383,"authors":384,"date":385,"category":32,"featured":17},"\u002Fideas\u002Fhow-dependabot-actually-works","How Dependabot Actually Works","Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives",[23],"2026-01-02",{"path":387,"title":388,"description":389,"authors":390,"date":391,"category":32,"featured":17},"\u002Fideas\u002Fcommunity-tools-bring-lockfile-support-to-github-actions","Community Tools Bring Lockfile Support to GitHub Actions","Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification",[23],"2025-12-30",{"path":393,"title":394,"description":395,"authors":396,"date":397,"category":32,"featured":17},"\u002Fideas\u002Fthe-compact-index","The Compact Index: How Bundler Scales Dependency Resolution","The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.",[23],"2025-12-28",{"path":399,"title":400,"description":401,"authors":402,"date":403,"category":32,"featured":17},"\u002Fideas\u002Fhow-to-ruin-all-of-package-management","How to Ruin All of Package Management","Attach financial incentives to open source metrics and watch the spam flood in.",[23],"2025-12-27",{"path":405,"title":406,"description":407,"authors":408,"date":409,"category":32,"featured":17},"\u002Fideas\u002Fhow-uv-got-so-fast","How uv got so fast","uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.",[23],"2025-12-26",{"path":411,"title":412,"description":413,"authors":414,"date":415,"category":32,"featured":17},"\u002Fideas\u002Fcursed-bundler-using-go-get-to-install-ruby-gems","Cursed Bundler: Using go get to install Ruby Gems","Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.",[23],"2025-12-25",{"path":417,"title":418,"description":419,"authors":420,"date":421,"category":32,"featured":17},"\u002Fideas\u002Fpackage-managers-keep-using-git-as-a-database","Package managers keep using git as a database, it never works out","Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.",[23],"2025-12-24",{"path":423,"title":424,"description":425,"authors":426,"date":427,"category":32,"featured":17},"\u002Fideas\u002Fcould-lockfiles-just-be-sboms","Could lockfiles just be SBOMs?","Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?",[23],"2025-12-23",{"path":429,"title":430,"description":431,"authors":432,"date":433,"category":326,"featured":17},"\u002Fideas\u002Fpackage-registries-are-governance-as-a-service","Package Registries Are Governance Providers","Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.",[23],"2025-12-22",{"path":435,"title":436,"description":437,"authors":438,"date":439,"category":32,"featured":17},"\u002Fideas\u002Ffederated-package-management","Federated Package Management and the Zooko Triangle","The trade-offs that make decentralized package management impractical",[23],"2025-12-21",{"path":441,"title":442,"description":443,"authors":444,"date":445,"category":32,"featured":17},"\u002Fideas\u002Fwhy-javascript-needed-docker","Why JavaScript Needed Docker","How Docker became JavaScript's real lockfile",[23],"2025-12-19",{"path":447,"title":448,"description":449,"authors":450,"date":451,"category":32,"featured":17},"\u002Fideas\u002Fdocker-is-the-lockfile-for-system-packages","Docker is the Lockfile for System Packages","Why Docker filled the reproducibility gap that system package managers left open",[23],"2025-12-18",{"path":453,"title":454,"description":455,"authors":456,"date":457,"category":25,"featured":17},"\u002Fideas\u002Fhow-i-assess-open-source-libraries","How I Assess Open Source Libraries","What I actually look at when deciding whether to adopt a dependency.",[23],"2025-12-15",{"path":459,"title":460,"description":461,"authors":462,"date":463,"category":25,"featured":17},"\u002Fideas\u002Fslopsquatting-meets-dependency-confusion","Slopsquatting meets Dependency Confusion","LLMs can leak internal package names, making dependency confusion attacks easier to scale.",[23],"2025-12-10",{"path":465,"title":466,"description":467,"authors":468,"date":469,"category":32,"featured":17},"\u002Fideas\u002Fwhy-im-fascinated-by-package-management","Why I'm Fascinated by Package Management","From gaming magazine CDs to dependency graphs",[23],"2025-12-09",{"path":471,"title":472,"description":473,"authors":474,"date":475,"category":32,"featured":17},"\u002Fideas\u002Fgithub-actions-package-manager","GitHub Actions Has a Package Manager, and It Might Be the Worst","GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning",[23],"2025-12-06",{"path":477,"title":478,"description":479,"authors":480,"date":481,"category":97,"featured":17},"\u002Fideas\u002Frevisiting-gitballs","Revisiting Gitballs","Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.",[23],"2025-11-28",{"path":483,"title":484,"description":485,"authors":486,"date":487,"category":164,"featured":17},"\u002Fideas\u002Fkeystone-maintainers-keep-the-internet-going","Keystone Maintainers Keep the Internet Going","“Keystone maintainers” is a good name for the most impactful Open Source maintainers.",[44],"2025-11-13",{"path":489,"title":490,"description":491,"authors":492,"date":493,"category":16,"featured":17},"\u002Fideas\u002Fnot-paying-open-source-maintainers-is-expensive","Not Paying Open Source Maintainers Is Expensive","Not paying for the Open Source software you use can seem like a great deal — but it can end up costing you money.",[44],"2025-06-18",1780596102646]