[{"data":1,"prerenderedAt":271},["ShallowReactive",2],{"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns":3,"\u002Freports":8},["Island",4],{"key":5,"result":6},"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns",{"head":7},{},[9,18,26,33,39,45,51,57,63,70,76,82,88,94,100,106,112,119,125,131,137,143,149,155,161,166,172,178,184,190,196,201,206,211,216,221,226,232,240,246,252,259,265],{"path":10,"title":11,"description":12,"authors":13,"date":15,"category":16,"featured":17},"\u002Freports\u002Ffoundations","Open Source Foundation Financials","A summary of the financials of Open Source foundations.",[14],"vlad","2026-05-24","funding-tech-infrastructure",false,{"path":19,"title":20,"description":21,"authors":22,"date":24,"category":25,"featured":17},"\u002Freports\u002Fdumb-ways-for-an-open-source-project-to-die","Dumb Ways for an Open Source Project to Die","How your dependencies became Bernies",[23],"andrew","2026-05-19","software-supply-chains",{"path":27,"title":28,"description":29,"authors":30,"date":31,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-threat-models","Package Manager Threat Models","The non-CVE half of package manager security",[23],"2026-05-05","package-management",{"path":34,"title":35,"description":36,"authors":37,"date":38,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-cwes","Package Manager CWEs","Recurring weakness classes in package managers",[23],"2026-05-04",{"path":40,"title":41,"description":42,"authors":43,"date":44,"category":32,"featured":17},"\u002Freports\u002Fpackage-security-defenses-for-ai-agents","Package Security Defenses for AI Agents","Lockfiles, sandboxes, and cooldown timers.",[23],"2026-04-09",{"path":46,"title":47,"description":48,"authors":49,"date":50,"category":32,"featured":17},"\u002Freports\u002Fpackage-security-problems-for-ai-agents","Package Security Problems for AI Agents","Packages all the way down, agents all the way up.",[23],"2026-04-08",{"path":52,"title":53,"description":54,"authors":55,"date":56,"category":32,"featured":17},"\u002Freports\u002Fthe-roles-of-packages","The Roles of Packages","Applying Sajaniemi's roles of variables to packages across every kind of package manager.",[23],"2026-03-29",{"path":58,"title":59,"description":60,"authors":61,"date":62,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-mirroring","Package Manager Mirroring","Every mirroring tool I could find, and the protocols underneath them.",[23],"2026-03-20",{"path":64,"title":65,"description":66,"authors":67,"date":68,"category":69,"featured":17},"\u002Freports\u002Fgit-remote-helpers","Git Remote Helpers","Git can talk to anything if you write the right helper.",[23],"2026-03-18","tooling",{"path":71,"title":72,"description":73,"authors":74,"date":75,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-magic-files","Package Manager Magic Files","Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.",[23],"2026-03-05",{"path":77,"title":78,"description":79,"authors":80,"date":81,"category":69,"featured":17},"\u002Freports\u002Fforge-specific-repository-folders","Forge-Specific Repository Folders","Magic folders in git forges: what .github\u002F, .gitlab\u002F, .gitea\u002F, .forgejo\u002F and .bitbucket\u002F do.",[23],"2026-02-22",{"path":83,"title":84,"description":85,"authors":86,"date":87,"category":32,"featured":17},"\u002Freports\u002Fplatform-strings","Platform Strings","An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin\u002Farm64, or macosx_11_0_arm64 depending on which tool you ask.",[23],"2026-02-17",{"path":89,"title":90,"description":91,"authors":92,"date":93,"category":32,"featured":17},"\u002Freports\u002Fpackage-management-namespaces","Package Management Namespaces","Comparing namespace models across npm, Maven, Go, Swift, and crates.io.",[23],"2026-02-14",{"path":95,"title":96,"description":97,"authors":98,"date":99,"category":69,"featured":17},"\u002Freports\u002Fthe-many-flavors-of-ignore-files","The Many Flavors of Ignore Files","Please ignore all previous instructions.",[23],"2026-02-12",{"path":101,"title":102,"description":103,"authors":104,"date":105,"category":32,"featured":17},"\u002Freports\u002Fdependency-resolution-methods","Dependency Resolution Methods","A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.",[23],"2026-02-06",{"path":107,"title":108,"description":109,"authors":110,"date":111,"category":69,"featured":17},"\u002Freports\u002Fgit-magic-files","Git's Magic Files","Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.",[23],"2026-02-05",{"path":113,"title":114,"description":115,"authors":116,"date":117,"category":25,"featured":118},"\u002Freports\u002Fbinary-dependencies-identifying-the-hidden-packages-we-all-depend-on","Binary Dependencies: Identifying the Hidden Packages We All Depend On","We need better tools for uncovering phantom binary dependencies. Not having these tools makes our global tech infrastructure less secure, and puts a strain on the Open Source maintainers we rely on.",[14],"2026-01-31",true,{"path":120,"title":121,"description":122,"authors":123,"date":124,"category":32,"featured":17},"\u002Freports\u002Flockfile-format-design-and-tradeoffs","Lockfile Format Design and Tradeoffs","Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.",[23],"2026-01-17",{"path":126,"title":127,"description":128,"authors":129,"date":130,"category":25,"featured":17},"\u002Freports\u002Fhow-binary-dependencies-work","How Binary Dependencies Work Across Different Languages","Have you ever wondered how it's possible to call C code from other languages like Python? Here are the technical details — and also why this topic is important for security and sustainability.",[14],"2026-01-16",{"path":132,"title":133,"description":134,"authors":135,"date":136,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-people","Package Manager People","People who built, maintain, or research package managers.",[23],"2026-01-14",{"path":138,"title":139,"description":140,"authors":141,"date":142,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-glossary","Package Manager Glossary","A cross-ecosystem glossary of package management terms.",[23],"2026-01-13",{"path":144,"title":145,"description":146,"authors":147,"date":148,"category":32,"featured":17},"\u002Freports\u002Fpackage-management-blog-posts","Package Management Blog Posts","Blog posts, talks, and essays that changed how people think about dependency management.",[23],"2026-01-09",{"path":150,"title":151,"description":152,"authors":153,"date":154,"category":32,"featured":17},"\u002Freports\u002Fthe-package-management-landscape","The Package Management Landscape","A directory of tools, systems, and services that relate to package management.",[23],"2026-01-03",{"path":156,"title":157,"description":158,"authors":159,"date":160,"category":32,"featured":17},"\u002Freports\u002Fcategorizing-package-manager-clients","Categorizing Package Manager Clients","Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.",[23],"2025-12-29",{"path":162,"title":163,"description":164,"authors":165,"date":160,"category":32,"featured":17},"\u002Freports\u002Fcategorizing-package-registries","Categorizing Package Registries","Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.",[23],{"path":167,"title":168,"description":169,"authors":170,"date":171,"category":25,"featured":17},"\u002Freports\u002Ftyposquatting-in-package-managers","Typosquatting in Package Managers","A reference guide to typosquatting techniques, real-world examples, and detection tools.",[23],"2025-12-17",{"path":173,"title":174,"description":175,"authors":176,"date":177,"category":25,"featured":17},"\u002Freports\u002Fsupply-chain-security-tools-for-ruby","Supply Chain Security Tools for Ruby","Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.",[23],"2025-12-14",{"path":179,"title":180,"description":181,"authors":182,"date":183,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-tradeoffs","Package Manager Design Tradeoffs","Design tradeoffs in package managers",[23],"2025-12-05",{"path":185,"title":186,"description":187,"authors":188,"date":189,"category":32,"featured":17},"\u002Freports\u002Fwhat-is-a-package-manager","What is a Package Manager?","What is a package manager? Perhaps quite a few more components than you might think",[23],"2025-12-02",{"path":191,"title":192,"description":193,"authors":194,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-management-commands","Package Management Commands","A cross-reference table of commands across 48 package managers.",[23],"2025-11-30",{"path":197,"title":198,"description":199,"authors":200,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-archives","Package Manager Archives","Documentation of archive formats used by package managers, covering both language-specific ecosystems (gems, wheels, npm tarballs, crates) and system-level formats (deb, rpm, apk).",[23],{"path":202,"title":203,"description":204,"authors":205,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-hooks","Package Manager Hooks","A reference documenting lifecycle hooks across package manager ecosystems, categorizing them into two types: package-defined hooks and system\u002Fplugin hooks.",[23],{"path":207,"title":208,"description":209,"authors":210,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-manifest-examples","Package Manager Manifest Examples","Over 145 manifest and lockfile examples from 34 package ecosystems, organized by PURL type.",[23],{"path":212,"title":213,"description":214,"authors":215,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-openapi-schemas","Package Manager OpenAPI Schemas","OpenAPI 3.0 specifications for 25+ package registry APIs including npm, PyPI, Maven, RubyGems, Cargo, Docker, and Terraform.",[23],{"path":217,"title":218,"description":219,"authors":220,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-resolvers","Package Manager Resolvers","A reference documenting dependency resolution algorithms across package managers.",[23],{"path":222,"title":223,"description":224,"authors":225,"date":195,"category":32,"featured":17},"\u002Freports\u002Fpackage-managers-opml","Package Managers OPML","RSS and Atom feeds for tracking releases from package managers, registries, and related infrastructure projects.",[23],{"path":227,"title":228,"description":229,"authors":230,"date":231,"category":69,"featured":17},"\u002Freports\u002Fextending-git-functionality","Extending Git Functionality","A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.",[23],"2025-11-26",{"path":233,"title":234,"description":235,"authors":236,"date":238,"category":239,"featured":118},"\u002Freports\u002Fburnout-in-open-source-a-structural-problem-we-can-fix-together","Burnout in Open Source: A Structural Problem We Can Fix Together","Burnout is affecting the entire Open Source ecosystem. Here's what we could do to make things better.",[237],"miranda","2025-11-18","maintainer-well-being",{"path":241,"title":242,"description":243,"authors":244,"date":245,"category":32,"featured":17},"\u002Freports\u002Fpackage-manager-timeline","Package Manager Timeline","A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.",[23],"2025-11-15",{"path":247,"title":248,"description":249,"authors":250,"date":251,"category":32,"featured":17},"\u002Freports\u002Fpackage-management-papers","Package Management Papers","A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.",[23],"2025-11-13",{"path":253,"title":254,"description":255,"authors":256,"date":257,"category":258,"featured":17},"\u002Freports\u002Fopen-source-deceptive-power-or-collective-governance","Open Source: Deceptive Power or Collective Governance?","In October 2024, it emerged that WordPress co-founder Matt Mullenweg has extensive power over the entire WordPress\necosystem, which 43% of all websites on the internet run on. When he exercised this power by seizing control of code\nthat runs on tens of thousands of websites, the WordPress community realised that it was not in control of the software\nit was using, despite this software being Open Source. And many people were very upset!",[14],"2025-06-06","governance",{"path":260,"title":261,"description":262,"authors":263,"date":264,"category":16,"featured":17},"\u002Freports\u002Fwhy-and-how-companies-should-pay-open-source-maintainers","Why and How Companies Should Pay Open Source Maintainers","",[14],"2025-02-02",{"path":266,"title":267,"description":268,"authors":269,"date":270,"category":32,"featured":17},"\u002Freports\u002Ffrom-zerover-to-semver-a-comprehensive-list-of-versioning-schemes-in-open-source","From ZeroVer to SemVer: A List of Versioning Schemes in Open Source","A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.",[23],"2024-06-24",1780596102645]