[{"data":1,"prerenderedAt":3045},["ShallowReactive",2],{"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns":3,"\u002Freports\u002Fthe-package-management-landscape":8},["Island",4],{"key":5,"result":6},"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns",{"head":7},{},{"id":9,"title":10,"authors":11,"body":13,"canonicalUrl":3031,"canonicalWebsiteName":3032,"category":3033,"date":3034,"description":3035,"extension":3036,"featured":3037,"fullWidthLayout":3037,"image":3038,"imageAlt":3038,"location":3038,"meta":3039,"metaImage":3038,"navigation":3040,"path":3041,"seo":3042,"stem":3043,"venue":3038,"venueUrl":3038,"__hash__":3044},"reports\u002Freports\u002Fthe-package-management-landscape.md","The Package Management Landscape",[12],"andrew",{"type":14,"value":15,"toc":3009},"minimark",[16,20,101,105,113,160,195,210,220,230,265,280,290,305,320,340,350,370,380,395,405,415,430,440,450,463,493,503,513,523,533,543,558,568,578,588,598,611,624,632,642,645,653,668,688,708,718,728,738,753,763,773,793,813,828,838,848,857,867,877,887,896,900,903,913,948,963,973,977,980,1000,1020,1035,1045,1055,1059,1062,1082,1106,1126,1156,1181,1211,1221,1230,1240,1244,1247,1258,1268,1278,1288,1298,1314,1324,1334,1338,1341,1351,1361,1371,1381,1391,1401,1427,1437,1470,1473,1476,1486,1501,1511,1526,1546,1561,1576,1591,1604,1607,1610,1667,1692,1717,1737,1741,1744,1804,1840,1853,1919,1946,1971,1981,1996,2000,2003,2038,2068,2083,2106,2146,2182,2186,2189,2231,2251,2261,2281,2301,2331,2356,2382,2385,2388,2404,2414,2424,2434,2444,2454,2464,2468,2471,2516,2549,2570,2593,2597,2600,2610,2624,2634,2649,2652,2660,2680,2705,2720,2724,2732,2757,2772,2792,2822,2837,2857,2861,2864,2889,2918,2928,2945,2965,2981,2992,2995],[17,18,19],"p",{},"A directory of tools, libraries, registries, and standards across package management. I put this together partly as a reference, partly to track which areas I've covered in other posts.",[17,21,22,26,27,32,33,32,37,32,41,32,45,32,49,32,53,32,57,32,61,32,65,32,69,32,73,32,77,32,81,32,85,32,89,32,93,32,97],{},[23,24,25],"strong",{},"Contents:"," ",[28,29,31],"a",{"href":30},"#language-package-managers","Language package managers"," · ",[28,34,36],{"href":35},"#system-package-managers","System package managers",[28,38,40],{"href":39},"#package-manager-frontends","Frontends",[28,42,44],{"href":43},"#editor-and-ide-plugin-managers","Editor plugins",[28,46,48],{"href":47},"#universal-and-cross-language-tools","Universal tools",[28,50,52],{"href":51},"#dependency-resolution-libraries","Resolution libraries",[28,54,56],{"href":55},"#manifest-and-lockfile-parsing","Manifest parsing",[28,58,60],{"href":59},"#registry-software","Registry software",[28,62,64],{"href":63},"#enterprise-tools","Enterprise tools",[28,66,68],{"href":67},"#security-and-analysis-tools","Security tools",[28,70,72],{"href":71},"#metadata-and-discovery-platforms","Metadata platforms",[28,74,76],{"href":75},"#sbom-and-supply-chain-tools","SBOM tools",[28,78,80],{"href":79},"#trusted-publishing","Trusted publishing",[28,82,84],{"href":83},"#monorepo-and-workspace-tools","Monorepo tools",[28,86,88],{"href":87},"#build-tools-with-dependency-management","Build tools",[28,90,92],{"href":91},"#research","Research",[28,94,96],{"href":95},"#governance-and-best-practices","Governance",[28,98,100],{"href":99},"#standards-and-specifications","Standards",[102,103,31],"h2",{"id":104},"language-package-managers",[17,106,107,108,112],{},"Each programming language ecosystem has at least one package manager, often several. The ",[28,109,111],{"href":110},"\u002Freports\u002Fcategorizing-package-manager-clients","categorizing clients"," post covers their resolution algorithms, lockfile strategies, and manifest formats in detail.",[17,114,115,26,118,124,125,124,130,124,135,124,140,124,145,124,150,124,155],{},[23,116,117],{},"JavaScript\u002FTypeScript:",[28,119,123],{"href":120,"rel":121},"https:\u002F\u002Fwww.npmjs.com",[122],"nofollow","npm",", ",[28,126,129],{"href":127,"rel":128},"https:\u002F\u002Fyarnpkg.com",[122],"Yarn",[28,131,134],{"href":132,"rel":133},"https:\u002F\u002Fpnpm.io",[122],"pnpm",[28,136,139],{"href":137,"rel":138},"https:\u002F\u002Fbun.sh",[122],"Bun",[28,141,144],{"href":142,"rel":143},"https:\u002F\u002Fdeno.land",[122],"Deno",[28,146,149],{"href":147,"rel":148},"https:\u002F\u002Fjsr.io",[122],"jsr.io",[28,151,154],{"href":152,"rel":153},"https:\u002F\u002Fgithub.com\u002Fnodejs\u002Fcorepack",[122],"Corepack",[28,156,159],{"href":157,"rel":158},"https:\u002F\u002Fgithub.com\u002Fjspm\u002Fjspm",[122],"jspm",[17,161,162,26,165,124,170,124,175,124,180,124,185,124,190],{},[23,163,164],{},"Python:",[28,166,169],{"href":167,"rel":168},"https:\u002F\u002Fpip.pypa.io",[122],"pip",[28,171,174],{"href":172,"rel":173},"https:\u002F\u002Fpython-poetry.org",[122],"Poetry",[28,176,179],{"href":177,"rel":178},"https:\u002F\u002Fgithub.com\u002Fastral-sh\u002Fuv",[122],"uv",[28,181,184],{"href":182,"rel":183},"https:\u002F\u002Fpdm-project.org",[122],"pdm",[28,186,189],{"href":187,"rel":188},"https:\u002F\u002Fpipenv.pypa.io",[122],"pipenv",[28,191,194],{"href":192,"rel":193},"https:\u002F\u002Fgithub.com\u002Fpypa\u002Fhatch",[122],"Hatch",[17,196,197,26,200,124,205],{},[23,198,199],{},"Ruby:",[28,201,204],{"href":202,"rel":203},"https:\u002F\u002Frubygems.org",[122],"RubyGems",[28,206,209],{"href":207,"rel":208},"https:\u002F\u002Fbundler.io",[122],"Bundler",[17,211,212,26,215],{},[23,213,214],{},"Rust:",[28,216,219],{"href":217,"rel":218},"https:\u002F\u002Fdoc.rust-lang.org\u002Fcargo\u002F",[122],"Cargo",[17,221,222,26,225],{},[23,223,224],{},"Go:",[28,226,229],{"href":227,"rel":228},"https:\u002F\u002Fgo.dev\u002Fref\u002Fmod",[122],"Go modules",[17,231,232,26,235,124,240,124,245,124,250,124,255,124,260],{},[23,233,234],{},"Java\u002FJVM:",[28,236,239],{"href":237,"rel":238},"https:\u002F\u002Fmaven.apache.org",[122],"Maven",[28,241,244],{"href":242,"rel":243},"https:\u002F\u002Fgradle.org",[122],"Gradle",[28,246,249],{"href":247,"rel":248},"https:\u002F\u002Fwww.scala-sbt.org",[122],"sbt",[28,251,254],{"href":252,"rel":253},"https:\u002F\u002Fleiningen.org",[122],"Leiningen",[28,256,259],{"href":257,"rel":258},"https:\u002F\u002Fant.apache.org\u002Fivy\u002F",[122],"Ivy",[28,261,264],{"href":262,"rel":263},"https:\u002F\u002Fgithub.com\u002Fcoursier\u002Fcoursier",[122],"Coursier",[17,266,267,26,270,124,275],{},[23,268,269],{},"C#\u002F.NET:",[28,271,274],{"href":272,"rel":273},"https:\u002F\u002Fwww.nuget.org",[122],"NuGet",[28,276,279],{"href":277,"rel":278},"https:\u002F\u002Ffsprojects.github.io\u002FPaket\u002F",[122],"Paket",[17,281,282,26,285],{},[23,283,284],{},"PHP:",[28,286,289],{"href":287,"rel":288},"https:\u002F\u002Fgetcomposer.org",[122],"Composer",[17,291,292,26,295,124,300],{},[23,293,294],{},"Elixir:",[28,296,299],{"href":297,"rel":298},"https:\u002F\u002Fhexdocs.pm\u002Fmix\u002FMix.html",[122],"Mix",[28,301,304],{"href":302,"rel":303},"https:\u002F\u002Fhex.pm",[122],"Hex",[17,306,307,26,310,124,315],{},[23,308,309],{},"Haskell:",[28,311,314],{"href":312,"rel":313},"https:\u002F\u002Fwww.haskell.org\u002Fcabal\u002F",[122],"Cabal",[28,316,319],{"href":317,"rel":318},"https:\u002F\u002Fdocs.haskellstack.org",[122],"Stack",[17,321,322,26,325,124,330,124,335],{},[23,323,324],{},"Swift\u002FObjective-C:",[28,326,329],{"href":327,"rel":328},"https:\u002F\u002Fwww.swift.org\u002Fdocumentation\u002Fpackage-manager\u002F",[122],"Swift Package Manager",[28,331,334],{"href":332,"rel":333},"https:\u002F\u002Fcocoapods.org",[122],"CocoaPods",[28,336,339],{"href":337,"rel":338},"https:\u002F\u002Fgithub.com\u002FCarthage\u002FCarthage",[122],"Carthage",[17,341,342,26,345],{},[23,343,344],{},"Dart:",[28,346,349],{"href":347,"rel":348},"https:\u002F\u002Fpub.dev",[122],"pub",[17,351,352,26,355,124,360,124,365],{},[23,353,354],{},"R:",[28,356,359],{"href":357,"rel":358},"https:\u002F\u002Fcran.r-project.org",[122],"CRAN",[28,361,364],{"href":362,"rel":363},"https:\u002F\u002Frstudio.github.io\u002Frenv\u002F",[122],"renv",[28,366,369],{"href":367,"rel":368},"https:\u002F\u002Fpak.r-lib.org",[122],"pak",[17,371,372,26,375],{},[23,373,374],{},"Julia:",[28,376,379],{"href":377,"rel":378},"https:\u002F\u002Fpkgdocs.julialang.org",[122],"Pkg",[17,381,382,26,385,124,390],{},[23,383,384],{},"Perl:",[28,386,389],{"href":387,"rel":388},"https:\u002F\u002Fwww.cpan.org",[122],"CPAN",[28,391,394],{"href":392,"rel":393},"https:\u002F\u002Fcpanmin.us",[122],"cpanm",[17,396,397,26,400],{},[23,398,399],{},"Lua:",[28,401,404],{"href":402,"rel":403},"https:\u002F\u002Fluarocks.org",[122],"LuaRocks",[17,406,407,26,410],{},[23,408,409],{},"Elm:",[28,411,414],{"href":412,"rel":413},"https:\u002F\u002Fpackage.elm-lang.org",[122],"elm-package",[17,416,417,26,420,124,425],{},[23,418,419],{},"OCaml:",[28,421,424],{"href":422,"rel":423},"https:\u002F\u002Fopam.ocaml.org",[122],"opam",[28,426,429],{"href":427,"rel":428},"https:\u002F\u002Fgithub.com\u002Fesy\u002Fesy",[122],"esy",[17,431,432,26,435],{},[23,433,434],{},"Racket:",[28,436,439],{"href":437,"rel":438},"https:\u002F\u002Fdocs.racket-lang.org\u002Fpkg\u002F",[122],"raco pkg",[17,441,442,26,445],{},[23,443,444],{},"Zig:",[28,446,449],{"href":447,"rel":448},"https:\u002F\u002Fziglang.org\u002Flearn\u002Fbuild-system\u002F",[122],"Zig package manager",[17,451,452,26,455,124,458],{},[23,453,454],{},"Clojure:",[28,456,254],{"href":252,"rel":457},[122],[28,459,462],{"href":460,"rel":461},"https:\u002F\u002Fclojure.org\u002Fguides\u002Fdeps_and_cli",[122],"deps.edn",[17,464,465,26,468,124,473,124,478,124,483,124,488],{},[23,466,467],{},"C\u002FC++:",[28,469,472],{"href":470,"rel":471},"https:\u002F\u002Fconan.io",[122],"Conan",[28,474,477],{"href":475,"rel":476},"https:\u002F\u002Fvcpkg.io",[122],"vcpkg",[28,479,482],{"href":480,"rel":481},"https:\u002F\u002Fhunter.readthedocs.io",[122],"Hunter",[28,484,487],{"href":485,"rel":486},"https:\u002F\u002Fgithub.com\u002Fcpm-cmake\u002FCPM.cmake",[122],"CPM.cmake",[28,489,492],{"href":490,"rel":491},"https:\u002F\u002Fgithub.com\u002FAcademySoftwareFoundation\u002Frez",[122],"Rez",[17,494,495,26,498],{},[23,496,497],{},"Nim:",[28,499,502],{"href":500,"rel":501},"https:\u002F\u002Fgithub.com\u002Fnim-lang\u002Fnimble",[122],"Nimble",[17,504,505,26,508],{},[23,506,507],{},"Fortran:",[28,509,512],{"href":510,"rel":511},"https:\u002F\u002Ffpm.fortran-lang.org",[122],"fpm",[17,514,515,26,518],{},[23,516,517],{},"Crystal:",[28,519,522],{"href":520,"rel":521},"https:\u002F\u002Fcrystal-lang.org\u002Freference\u002Fthe_shards_command\u002F",[122],"Shards",[17,524,525,26,528],{},[23,526,527],{},"Ada:",[28,529,532],{"href":530,"rel":531},"https:\u002F\u002Falire.ada.dev",[122],"Alire",[17,534,535,26,538],{},[23,536,537],{},"D:",[28,539,542],{"href":540,"rel":541},"https:\u002F\u002Fcode.dlang.org",[122],"DUB",[17,544,545,26,548,124,553],{},[23,546,547],{},"Common Lisp:",[28,549,552],{"href":550,"rel":551},"https:\u002F\u002Fwww.quicklisp.org",[122],"Quicklisp",[28,554,557],{"href":555,"rel":556},"https:\u002F\u002Fgithub.com\u002Ffukamachi\u002Fqlot",[122],"qlot",[17,559,560,26,563],{},[23,561,562],{},"Scheme:",[28,564,567],{"href":565,"rel":566},"https:\u002F\u002Fakkuscm.org",[122],"AKKU",[17,569,570,26,573],{},[23,571,572],{},"Janet:",[28,574,577],{"href":575,"rel":576},"https:\u002F\u002Fgithub.com\u002Fjanet-lang\u002Fjpm",[122],"jpm",[17,579,580,26,583],{},[23,581,582],{},"V:",[28,584,587],{"href":585,"rel":586},"https:\u002F\u002Fvpm.vlang.io",[122],"VPM",[17,589,590,26,593],{},[23,591,592],{},"Raku:",[28,594,597],{"href":595,"rel":596},"https:\u002F\u002Fgithub.com\u002Fugexe\u002Fzef",[122],"zef",[17,599,600,26,603,124,608],{},[23,601,602],{},"Erlang:",[28,604,607],{"href":605,"rel":606},"https:\u002F\u002Frebar3.org",[122],"rebar3",[28,609,304],{"href":302,"rel":610},[122],[17,612,613,26,616,124,619],{},[23,614,615],{},"Scala:",[28,617,249],{"href":247,"rel":618},[122],[28,620,623],{"href":621,"rel":622},"https:\u002F\u002Fmill-build.org",[122],"Mill",[17,625,626,26,629],{},[23,627,628],{},"Kotlin:",[28,630,244],{"href":242,"rel":631},[122],[17,633,634,26,637],{},[23,635,636],{},"Mojo:",[28,638,641],{"href":639,"rel":640},"https:\u002F\u002Fpixi.sh",[122],"Pixi",[102,643,36],{"id":644},"system-package-managers",[17,646,647,648,652],{},"Operating system package managers handle system-level software: libraries, applications, kernel modules. The ",[28,649,651],{"href":650},"\u002Freports\u002Fcategorizing-package-registries","categorizing registries"," post covers their architectures and governance.",[17,654,655,26,658,124,663],{},[23,656,657],{},"Debian\u002FUbuntu:",[28,659,662],{"href":660,"rel":661},"https:\u002F\u002Fwiki.debian.org\u002FApt",[122],"apt",[28,664,667],{"href":665,"rel":666},"https:\u002F\u002Fwiki.debian.org\u002Fdpkg",[122],"dpkg",[17,669,670,26,673,124,678,124,683],{},[23,671,672],{},"Fedora\u002FRHEL\u002FCentOS:",[28,674,677],{"href":675,"rel":676},"https:\u002F\u002Fdnf.readthedocs.io",[122],"dnf",[28,679,682],{"href":680,"rel":681},"http:\u002F\u002Fyum.baseurl.org",[122],"yum",[28,684,687],{"href":685,"rel":686},"https:\u002F\u002Frpm.org",[122],"rpm",[17,689,690,26,693,124,698,124,703],{},[23,691,692],{},"Arch:",[28,694,697],{"href":695,"rel":696},"https:\u002F\u002Fwiki.archlinux.org\u002Ftitle\u002FPacman",[122],"pacman",[28,699,702],{"href":700,"rel":701},"https:\u002F\u002Fgithub.com\u002FJguer\u002Fyay",[122],"yay",[28,704,707],{"href":705,"rel":706},"https:\u002F\u002Fgithub.com\u002FMorganamilo\u002Fparu",[122],"paru",[17,709,710,26,713],{},[23,711,712],{},"Alpine:",[28,714,717],{"href":715,"rel":716},"https:\u002F\u002Fwiki.alpinelinux.org\u002Fwiki\u002FAlpine_Package_Keeper",[122],"apk",[17,719,720,26,723],{},[23,721,722],{},"openSUSE:",[28,724,727],{"href":725,"rel":726},"https:\u002F\u002Fen.opensuse.org\u002FPortal:Zypper",[122],"zypper",[17,729,730,26,733],{},[23,731,732],{},"Gentoo:",[28,734,737],{"href":735,"rel":736},"https:\u002F\u002Fwiki.gentoo.org\u002Fwiki\u002FPortage",[122],"Portage",[17,739,740,26,743,124,748],{},[23,741,742],{},"Slackware:",[28,744,747],{"href":745,"rel":746},"http:\u002F\u002Fwww.slackware.com\u002Fconfig\u002Fpackages.php",[122],"pkgtool",[28,749,752],{"href":750,"rel":751},"https:\u002F\u002Fslackpkg.org",[122],"slackpkg",[17,754,755,26,758],{},[23,756,757],{},"Source Mage:",[28,759,762],{"href":760,"rel":761},"https:\u002F\u002Fsourcemage.org\u002FSorcery",[122],"Sorcery",[17,764,765,26,768],{},[23,766,767],{},"Void:",[28,769,772],{"href":770,"rel":771},"https:\u002F\u002Fdocs.voidlinux.org\u002Fxbps\u002Findex.html",[122],"xbps",[17,774,775,26,778,124,783,124,788],{},[23,776,777],{},"macOS:",[28,779,782],{"href":780,"rel":781},"https:\u002F\u002Fbrew.sh",[122],"Homebrew",[28,784,787],{"href":785,"rel":786},"https:\u002F\u002Fwww.macports.org",[122],"MacPorts",[28,789,792],{"href":790,"rel":791},"https:\u002F\u002Fwww.finkproject.org",[122],"Fink",[17,794,795,26,798,124,803,124,808],{},[23,796,797],{},"Windows:",[28,799,802],{"href":800,"rel":801},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fwindows\u002Fpackage-manager\u002F",[122],"winget",[28,804,807],{"href":805,"rel":806},"https:\u002F\u002Fchocolatey.org",[122],"Chocolatey",[28,809,812],{"href":810,"rel":811},"https:\u002F\u002Fscoop.sh",[122],"Scoop",[17,814,815,26,818,124,823],{},[23,816,817],{},"FreeBSD:",[28,819,822],{"href":820,"rel":821},"https:\u002F\u002Fwww.freebsd.org\u002Fcgi\u002Fman.cgi?pkg(7)",[122],"pkg",[28,824,827],{"href":825,"rel":826},"https:\u002F\u002Fwww.freebsd.org\u002Fports\u002F",[122],"ports",[17,829,830,26,833],{},[23,831,832],{},"OpenBSD:",[28,834,837],{"href":835,"rel":836},"https:\u002F\u002Fman.openbsd.org\u002Fpkg_add",[122],"pkg_add",[17,839,840,26,843],{},[23,841,842],{},"NetBSD:",[28,844,847],{"href":845,"rel":846},"https:\u002F\u002Fwww.pkgsrc.org",[122],"pkgsrc",[17,849,850,26,853],{},[23,851,852],{},"DragonFly BSD:",[28,854,822],{"href":855,"rel":856},"https:\u002F\u002Fwww.dragonflybsd.org\u002Fdocs\u002Fhandbook\u002Fpkgsrc\u002F",[122],[17,858,859,26,862],{},[23,860,861],{},"NixOS:",[28,863,866],{"href":864,"rel":865},"https:\u002F\u002Fnixos.org",[122],"nix",[17,868,869,26,872],{},[23,870,871],{},"Solus:",[28,873,876],{"href":874,"rel":875},"https:\u002F\u002Fhelp.getsol.us\u002Fdocs\u002Fpackaging",[122],"eopkg",[17,878,879,26,882],{},[23,880,881],{},"Android:",[28,883,886],{"href":884,"rel":885},"https:\u002F\u002Fdeveloper.android.com\u002Fstudio\u002Fcommand-line\u002Fapkanalyzer",[122],"APK",[17,888,889,26,892],{},[23,890,891],{},"Termux:",[28,893,822],{"href":894,"rel":895},"https:\u002F\u002Fwiki.termux.com\u002Fwiki\u002FPackage_Management",[122],[102,897,899],{"id":898},"package-manager-frontends","Package manager frontends",[17,901,902],{},"Abstraction layers and graphical interfaces for system package managers.",[17,904,905,26,908],{},[23,906,907],{},"Abstraction layers:",[28,909,912],{"href":910,"rel":911},"https:\u002F\u002Fwww.freedesktop.org\u002Fsoftware\u002FPackageKit\u002F",[122],"PackageKit",[17,914,915,26,918,124,923,124,928,124,933,124,938,124,943],{},[23,916,917],{},"GUI frontends:",[28,919,922],{"href":920,"rel":921},"https:\u002F\u002Fgithub.com\u002Fmvo5\u002Fsynaptic",[122],"Synaptic",[28,924,927],{"href":925,"rel":926},"https:\u002F\u002Fapps.gnome.org\u002FSoftware\u002F",[122],"GNOME Software",[28,929,932],{"href":930,"rel":931},"https:\u002F\u002Fgitlab.manjaro.org\u002Fapplications\u002Fpamac",[122],"Pamac",[28,934,937],{"href":935,"rel":936},"https:\u002F\u002Ftintaescura.com\u002Fprojects\u002Foctopi\u002F",[122],"Octopi",[28,939,942],{"href":940,"rel":941},"https:\u002F\u002Fuserbase.kde.org\u002FApper",[122],"Apper",[28,944,947],{"href":945,"rel":946},"https:\u002F\u002Fapps.kde.org\u002Fdiscover\u002F",[122],"Discover",[17,949,950,26,953,124,958],{},[23,951,952],{},"Package converters:",[28,954,957],{"href":955,"rel":956},"https:\u002F\u002Fsourceforge.net\u002Fprojects\u002Falien-pkg-convert\u002F",[122],"Alien",[28,959,962],{"href":960,"rel":961},"https:\u002F\u002Fgithub.com\u002Fhelixarch\u002Fdebtap",[122],"debtap",[17,964,965,26,968],{},[23,966,967],{},"Local build integration:",[28,969,972],{"href":970,"rel":971},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCheckInstall",[122],"CheckInstall",[102,974,976],{"id":975},"editor-and-ide-plugin-managers","Editor and IDE plugin managers",[17,978,979],{},"Editors and IDEs have their own package ecosystems for extensions and plugins.",[17,981,982,26,985,124,990,124,995],{},[23,983,984],{},"Emacs:",[28,986,989],{"href":987,"rel":988},"https:\u002F\u002Fmelpa.org",[122],"MELPA",[28,991,994],{"href":992,"rel":993},"https:\u002F\u002Felpa.gnu.org",[122],"GNU ELPA",[28,996,999],{"href":997,"rel":998},"https:\u002F\u002Fwww.gnu.org\u002Fsoftware\u002Femacs\u002Fmanual\u002Fhtml_node\u002Femacs\u002FPackages.html",[122],"package.el",[17,1001,1002,26,1005,124,1010,124,1015],{},[23,1003,1004],{},"Vim\u002FNeovim:",[28,1006,1009],{"href":1007,"rel":1008},"https:\u002F\u002Fgithub.com\u002Fjunegunn\u002Fvim-plug",[122],"vim-plug",[28,1011,1014],{"href":1012,"rel":1013},"https:\u002F\u002Fgithub.com\u002Ffolke\u002Flazy.nvim",[122],"lazy.nvim",[28,1016,1019],{"href":1017,"rel":1018},"https:\u002F\u002Fgithub.com\u002Fwbthomason\u002Fpacker.nvim",[122],"Packer",[17,1021,1022,26,1025,124,1030],{},[23,1023,1024],{},"VSCode:",[28,1026,1029],{"href":1027,"rel":1028},"https:\u002F\u002Fmarketplace.visualstudio.com\u002Fvscode",[122],"Extensions Marketplace",[28,1031,1034],{"href":1032,"rel":1033},"https:\u002F\u002Fopen-vsx.org",[122],"Open VSX",[17,1036,1037,26,1040],{},[23,1038,1039],{},"Sublime Text:",[28,1041,1044],{"href":1042,"rel":1043},"https:\u002F\u002Fpackagecontrol.io",[122],"Package Control",[17,1046,1047,26,1050],{},[23,1048,1049],{},"JetBrains:",[28,1051,1054],{"href":1052,"rel":1053},"https:\u002F\u002Fplugins.jetbrains.com",[122],"Plugin Marketplace",[102,1056,1058],{"id":1057},"universal-and-cross-language-tools","Universal and cross-language tools",[17,1060,1061],{},"These tools work across language boundaries, managing runtimes, environments, or entire system configurations.",[17,1063,1064,26,1067,124,1072,124,1077],{},[23,1065,1066],{},"Universal Linux packages:",[28,1068,1071],{"href":1069,"rel":1070},"https:\u002F\u002Fflatpak.org",[122],"Flatpak",[28,1073,1076],{"href":1074,"rel":1075},"https:\u002F\u002Fsnapcraft.io",[122],"Snap",[28,1078,1081],{"href":1079,"rel":1080},"https:\u002F\u002Fappimage.org",[122],"AppImage",[17,1083,1084,26,1087,124,1091,124,1096,124,1101],{},[23,1085,1086],{},"Reproducible environments:",[28,1088,1090],{"href":864,"rel":1089},[122],"Nix",[28,1092,1095],{"href":1093,"rel":1094},"https:\u002F\u002Fguix.gnu.org",[122],"Guix",[28,1097,1100],{"href":1098,"rel":1099},"https:\u002F\u002Fwww.jetify.com\u002Fdevbox",[122],"devbox",[28,1102,1105],{"href":1103,"rel":1104},"https:\u002F\u002Ftea.xyz",[122],"tea",[17,1107,1108,26,1111,124,1116,124,1121],{},[23,1109,1110],{},"Version\u002Fenvironment managers:",[28,1112,1115],{"href":1113,"rel":1114},"https:\u002F\u002Fasdf-vm.com",[122],"asdf",[28,1117,1120],{"href":1118,"rel":1119},"https:\u002F\u002Fmise.jdx.dev",[122],"mise",[28,1122,1125],{"href":1123,"rel":1124},"https:\u002F\u002Fgithub.com\u002Fanyenv\u002Fanyenv",[122],"anyenv",[17,1127,1128,26,1131,124,1136,124,1141,124,1146,124,1151],{},[23,1129,1130],{},"Container registries:",[28,1132,1135],{"href":1133,"rel":1134},"https:\u002F\u002Fhub.docker.com",[122],"Docker Hub",[28,1137,1140],{"href":1138,"rel":1139},"https:\u002F\u002Fghcr.io",[122],"GitHub Container Registry",[28,1142,1145],{"href":1143,"rel":1144},"https:\u002F\u002Fquay.io",[122],"Quay.io",[28,1147,1150],{"href":1148,"rel":1149},"https:\u002F\u002Faws.amazon.com\u002Fecr\u002F",[122],"Amazon ECR",[28,1152,1155],{"href":1153,"rel":1154},"https:\u002F\u002Fcloud.google.com\u002Fartifact-registry",[122],"Google Artifact Registry",[17,1157,1158,26,1161,124,1166,124,1171,124,1176],{},[23,1159,1160],{},"Infrastructure packages:",[28,1162,1165],{"href":1163,"rel":1164},"https:\u002F\u002Fregistry.terraform.io",[122],"Terraform Registry",[28,1167,1170],{"href":1168,"rel":1169},"https:\u002F\u002Fgalaxy.ansible.com",[122],"Ansible Galaxy",[28,1172,1175],{"href":1173,"rel":1174},"https:\u002F\u002Fforge.puppet.com",[122],"Puppet Forge",[28,1177,1180],{"href":1178,"rel":1179},"https:\u002F\u002Fsupermarket.chef.io",[122],"Chef Supermarket",[17,1182,1183,26,1186,124,1191,124,1196,124,1201,124,1206],{},[23,1184,1185],{},"Scientific computing:",[28,1187,1190],{"href":1188,"rel":1189},"https:\u002F\u002Fdocs.conda.io",[122],"Conda",[28,1192,1195],{"href":1193,"rel":1194},"https:\u002F\u002Fmamba.readthedocs.io",[122],"Mamba",[28,1197,1200],{"href":1198,"rel":1199},"https:\u002F\u002Fspack.io",[122],"Spack",[28,1202,1205],{"href":1203,"rel":1204},"https:\u002F\u002Feasybuild.io",[122],"EasyBuild",[28,1207,1210],{"href":1208,"rel":1209},"https:\u002F\u002Fmodules.readthedocs.io",[122],"modules",[17,1212,1213,26,1216],{},[23,1214,1215],{},"Embedded\u002FIoT:",[28,1217,1220],{"href":1218,"rel":1219},"https:\u002F\u002Fplatformio.org",[122],"PlatformIO",[17,1222,1223,26,1226],{},[23,1224,1225],{},"Package format converters:",[28,1227,512],{"href":1228,"rel":1229},"https:\u002F\u002Fgithub.com\u002Fjordansissel\u002Ffpm",[122],[17,1231,1232,26,1235],{},[23,1233,1234],{},"Meta package managers:",[28,1236,1239],{"href":1237,"rel":1238},"https:\u002F\u002Fgithub.com\u002Fkdeldycke\u002Fmeta-package-manager",[122],"meta-package-manager",[102,1241,1243],{"id":1242},"dependency-resolution-libraries","Dependency resolution libraries",[17,1245,1246],{},"Reusable libraries that solve the version constraint satisfaction problem. Package managers either use one of these or roll their own.",[17,1248,1249,1257],{},[23,1250,1251,1256],{},[28,1252,1255],{"href":1253,"rel":1254},"https:\u002F\u002Fgithub.com\u002Fpubgrub-rs\u002Fpubgrub",[122],"PubGrub",":"," Conflict-driven solver with good error messages. Used by Dart's pub, Poetry, uv, Hex, recent Bundler.",[17,1259,1260,1267],{},[23,1261,1262,1256],{},[28,1263,1266],{"href":1264,"rel":1265},"https:\u002F\u002Fgithub.com\u002FopenSUSE\u002Flibsolv",[122],"libsolv"," SAT-based solver. Used by DNF, Zypper, Conda, Mamba.",[17,1269,1270,1277],{},[23,1271,1272,1256],{},[28,1273,1276],{"href":1274,"rel":1275},"https:\u002F\u002Fgithub.com\u002Fmamba-org\u002Frattler",[122],"Rattler"," Rust implementation of Conda package management. Powers Pixi.",[17,1279,1280,1287],{},[23,1281,1282,1256],{},[28,1283,1286],{"href":1284,"rel":1285},"https:\u002F\u002Fgithub.com\u002FCocoaPods\u002FMolinillo",[122],"Molinillo"," Backtracking resolver tuned for Ruby. Used by older Bundler, CocoaPods.",[17,1289,1290,1297],{},[23,1291,1292,1256],{},[28,1293,1296],{"href":1294,"rel":1295},"https:\u002F\u002Fpotassco.org\u002Fclingo\u002F",[122],"Clingo"," Answer set programming solver. Used by Spack.",[17,1299,1300,1307,1308,1313],{},[23,1301,1302,1256],{},[28,1303,1306],{"href":1304,"rel":1305},"https:\u002F\u002Fpypi.org\u002Fproject\u002Fresolvelib\u002F",[122],"Resolvelib"," pip's backtracking resolver, built-in since pip 20.3 (",[28,1309,1312],{"href":1310,"rel":1311},"https:\u002F\u002Fpip.pypa.io\u002Fen\u002Fstable\u002Ftopics\u002Fdependency-resolution\u002F",[122],"pip details",").",[17,1315,1316,1323],{},[23,1317,1318,1256],{},[28,1319,1322],{"href":1320,"rel":1321},"https:\u002F\u002Fwww.mancoosi.org\u002Fcudf\u002F",[122],"CUDF"," Common Upgradeability Description Format. Used by opam with external solvers.",[17,1325,1326,1333],{},[23,1327,1328,1256],{},[28,1329,1332],{"href":1330,"rel":1331},"https:\u002F\u002Fgithub.com\u002Fmamba-org\u002Fresolvo",[122],"resolvo"," SAT solver for package management from the Mamba team.",[102,1335,1337],{"id":1336},"manifest-and-lockfile-parsing","Manifest and lockfile parsing",[17,1339,1340],{},"Libraries that read dependency files across ecosystems, used by security scanners, dependency update tools, and metadata platforms.",[17,1342,1343,1350],{},[23,1344,1345,1256],{},[28,1346,1349],{"href":1347,"rel":1348},"https:\u002F\u002Fgithub.com\u002Flibrariesio\u002Fbibliothecary",[122],"bibliothecary"," Ruby library parsing 30+ manifest formats. Used by Libraries.io.",[17,1352,1353,1360],{},[23,1354,1355,1256],{},[28,1356,1359],{"href":1357,"rel":1358},"https:\u002F\u002Fgithub.com\u002Fanchore\u002Fsyft",[122],"syft"," Go library that parses manifests and lockfiles as part of SBOM generation.",[17,1362,1363,1370],{},[23,1364,1365,1256],{},[28,1366,1369],{"href":1367,"rel":1368},"https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scalibr",[122],"osv-scalibr"," Google's extraction library for inventory discovery, vulnerability detection, and SBOM generation. Powers OSV-Scanner.",[17,1372,1373,1380],{},[23,1374,1375,1256],{},[28,1376,1379],{"href":1377,"rel":1378},"https:\u002F\u002Fgithub.com\u002Ftox-dev\u002Fpipdeptree",[122],"pipdeptree"," Visualizes Python dependency trees.",[17,1382,1383,1390],{},[23,1384,1385,1256],{},[28,1386,1389],{"href":1387,"rel":1388},"https:\u002F\u002Fgithub.com\u002Fnpm\u002Fnpm-packlist",[122],"npm-packlist"," Determines which files npm will include in a package.",[17,1392,1393,1400],{},[23,1394,1395,1256],{},[28,1396,1399],{"href":1397,"rel":1398},"https:\u002F\u002Fdoc.rust-lang.org\u002Fcargo\u002Fcommands\u002Fcargo-tree.html",[122],"cargo-tree"," Built into Cargo for dependency tree visualization.",[17,1402,1403,1410,1411,124,1416,124,1421,1426],{},[23,1404,1405,1256],{},[28,1406,1409],{"href":1407,"rel":1408},"https:\u002F\u002Fgithub.com\u002Fpackage-url",[122],"packageurl"," Libraries for parsing Package URLs in ",[28,1412,1415],{"href":1413,"rel":1414},"https:\u002F\u002Fgithub.com\u002Fpackage-url\u002Fpackageurl-python",[122],"Python",[28,1417,1420],{"href":1418,"rel":1419},"https:\u002F\u002Fgithub.com\u002Fpackage-url\u002Fpackageurl-go",[122],"Go",[28,1422,1425],{"href":1423,"rel":1424},"https:\u002F\u002Fgithub.com\u002Fpackage-url\u002Fpackageurl-js",[122],"JavaScript",", and other languages.",[17,1428,1429,1436],{},[23,1430,1431,1256],{},[28,1432,1435],{"href":1433,"rel":1434},"https:\u002F\u002Fgithub.com\u002Foras-project\u002Foras",[122],"oras"," OCI Registry As Storage, for pushing and pulling arbitrary content to OCI registries.",[17,1438,1439,26,1442,124,1447,1452,1453,1458,1459,1464,1465,1469],{},[23,1440,1441],{},"Version constraint parsers:",[28,1443,1446],{"href":1444,"rel":1445},"https:\u002F\u002Fgithub.com\u002Fnpm\u002Fnode-semver",[122],"node-semver",[28,1448,1451],{"href":1449,"rel":1450},"https:\u002F\u002Fgithub.com\u002Fpypa\u002Fpackaging",[122],"packaging"," (Python), ",[28,1454,1457],{"href":1455,"rel":1456},"https:\u002F\u002Fgithub.com\u002Frubygems\u002Frubygems",[122],"Gem::Version"," (Ruby), ",[28,1460,1463],{"href":1461,"rel":1462},"https:\u002F\u002Fgithub.com\u002FMasterminds\u002Fsemver",[122],"semver"," (Go), ",[28,1466,1463],{"href":1467,"rel":1468},"https:\u002F\u002Fgithub.com\u002Fdtolnay\u002Fsemver",[122]," (Rust)",[102,1471,60],{"id":1472},"registry-software",[17,1474,1475],{},"Self-hosted registries for private packages or local mirrors.",[17,1477,1478,26,1481],{},[23,1479,1480],{},"npm-compatible:",[28,1482,1485],{"href":1483,"rel":1484},"https:\u002F\u002Fverdaccio.org",[122],"Verdaccio",[17,1487,1488,26,1491,124,1496],{},[23,1489,1490],{},"PyPI-compatible:",[28,1492,1495],{"href":1493,"rel":1494},"https:\u002F\u002Fgithub.com\u002Fdevpi\u002Fdevpi",[122],"devpi",[28,1497,1500],{"href":1498,"rel":1499},"https:\u002F\u002Fgithub.com\u002Fpypi\u002Fwarehouse",[122],"Warehouse",[17,1502,1503,26,1506],{},[23,1504,1505],{},"Maven-compatible:",[28,1507,1510],{"href":1508,"rel":1509},"https:\u002F\u002Farchiva.apache.org",[122],"Archiva",[17,1512,1513,26,1516,124,1521],{},[23,1514,1515],{},"NuGet-compatible:",[28,1517,1520],{"href":1518,"rel":1519},"https:\u002F\u002Fgithub.com\u002FNuGet\u002FNuGet.Server",[122],"NuGet.Server",[28,1522,1525],{"href":1523,"rel":1524},"https:\u002F\u002Fgithub.com\u002Floic-sharma\u002FBaGet",[122],"BaGet",[17,1527,1528,26,1531,124,1536,124,1541],{},[23,1529,1530],{},"Docker-compatible:",[28,1532,1535],{"href":1533,"rel":1534},"https:\u002F\u002Fgoharbor.io",[122],"Harbor",[28,1537,1540],{"href":1538,"rel":1539},"https:\u002F\u002Fgithub.com\u002Fdistribution\u002Fdistribution",[122],"Distribution",[28,1542,1545],{"href":1543,"rel":1544},"https:\u002F\u002Fd7y.io",[122],"Dragonfly",[17,1547,1548,26,1551,124,1556],{},[23,1549,1550],{},"Gem-compatible:",[28,1552,1555],{"href":1553,"rel":1554},"https:\u002F\u002Fgithub.com\u002Frubygems\u002Fgemstash",[122],"Gemstash",[28,1557,1560],{"href":1558,"rel":1559},"https:\u002F\u002Fgithub.com\u002Fgeminabox\u002Fgeminabox",[122],"geminabox",[17,1562,1563,26,1566,124,1571],{},[23,1564,1565],{},"Go module proxy:",[28,1567,1570],{"href":1568,"rel":1569},"https:\u002F\u002Fgithub.com\u002Fgomods\u002Fathens",[122],"Athens",[28,1572,1575],{"href":1573,"rel":1574},"https:\u002F\u002Fgithub.com\u002Fgoproxy\u002Fgoproxy",[122],"goproxy",[17,1577,1578,26,1581,124,1586],{},[23,1579,1580],{},"Cargo-compatible:",[28,1582,1585],{"href":1583,"rel":1584},"https:\u002F\u002Fkellnr.io",[122],"Kellnr",[28,1587,1590],{"href":1588,"rel":1589},"https:\u002F\u002Fgithub.com\u002FHirevo\u002Falexandrie",[122],"Alexandrie",[17,1592,1593,26,1596,124,1601],{},[23,1594,1595],{},"Helm-compatible:",[28,1597,1600],{"href":1598,"rel":1599},"https:\u002F\u002Fchartmuseum.com",[122],"ChartMuseum",[28,1602,1535],{"href":1533,"rel":1603},[122],[102,1605,64],{"id":1606},"enterprise-tools",[17,1608,1609],{},"Artifact repositories, fleet management, and package distribution for organizations.",[17,1611,1612,26,1615,124,1620,124,1625,124,1630,124,1635,124,1640,124,1645,124,1648,124,1653,124,1657,124,1662],{},[23,1613,1614],{},"Artifact repositories:",[28,1616,1619],{"href":1617,"rel":1618},"https:\u002F\u002Fjfrog.com\u002Fartifactory\u002F",[122],"JFrog Artifactory",[28,1621,1624],{"href":1622,"rel":1623},"https:\u002F\u002Fwww.sonatype.com\u002Fproducts\u002Fsonatype-nexus-repository",[122],"Sonatype Nexus",[28,1626,1629],{"href":1627,"rel":1628},"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fpackages",[122],"GitHub Packages",[28,1631,1634],{"href":1632,"rel":1633},"https:\u002F\u002Fdocs.gitlab.com\u002Fee\u002Fuser\u002Fpackages\u002Fpackage_registry\u002F",[122],"GitLab Package Registry",[28,1636,1639],{"href":1637,"rel":1638},"https:\u002F\u002Faws.amazon.com\u002Fcodeartifact\u002F",[122],"AWS CodeArtifact",[28,1641,1644],{"href":1642,"rel":1643},"https:\u002F\u002Fazure.microsoft.com\u002Fen-us\u002Fproducts\u002Fdevops\u002Fartifacts",[122],"Azure Artifacts",[28,1646,1155],{"href":1153,"rel":1647},[122],[28,1649,1652],{"href":1650,"rel":1651},"https:\u002F\u002Fcloudsmith.com",[122],"Cloudsmith",[28,1654,1656],{"href":1143,"rel":1655},[122],"Quay",[28,1658,1661],{"href":1659,"rel":1660},"https:\u002F\u002Fdocs.gitea.com\u002Fusage\u002Fpackages\u002Foverview",[122],"Gitea Packages",[28,1663,1666],{"href":1664,"rel":1665},"https:\u002F\u002Fpulpproject.org",[122],"Pulp",[17,1668,1669,26,1672,124,1677,124,1682,124,1687],{},[23,1670,1671],{},"macOS fleet:",[28,1673,1676],{"href":1674,"rel":1675},"https:\u002F\u002Fworkbrew.com",[122],"Workbrew",[28,1678,1681],{"href":1679,"rel":1680},"https:\u002F\u002Fgithub.com\u002Fmunki\u002Fmunki",[122],"Munki",[28,1683,1686],{"href":1684,"rel":1685},"https:\u002F\u002Fgithub.com\u002Fautopkg\u002Fautopkg",[122],"AutoPkg",[28,1688,1691],{"href":1689,"rel":1690},"https:\u002F\u002Fwww.jamf.com",[122],"Jamf",[17,1693,1694,26,1697,124,1702,124,1707,124,1712],{},[23,1695,1696],{},"Linux fleet:",[28,1698,1701],{"href":1699,"rel":1700},"https:\u002F\u002Fubuntu.com\u002Flandscape",[122],"Landscape",[28,1703,1706],{"href":1704,"rel":1705},"https:\u002F\u002Fwww.suse.com\u002Fproducts\u002Fsuse-manager\u002F",[122],"SUSE Manager",[28,1708,1711],{"href":1709,"rel":1710},"https:\u002F\u002Ftheforeman.org",[122],"Foreman",[28,1713,1716],{"href":1714,"rel":1715},"https:\u002F\u002Fspacewalkproject.github.io",[122],"Spacewalk",[17,1718,1719,26,1722,124,1727,124,1732],{},[23,1720,1721],{},"Windows fleet:",[28,1723,1726],{"href":1724,"rel":1725},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fmem\u002Fintune\u002F",[122],"Intune",[28,1728,1731],{"href":1729,"rel":1730},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fmem\u002Fconfigmgr\u002F",[122],"SCCM",[28,1733,1736],{"href":1734,"rel":1735},"https:\u002F\u002Fwww.pdq.com",[122],"PDQ",[102,1738,1740],{"id":1739},"security-and-analysis-tools","Security and analysis tools",[17,1742,1743],{},"Tools for scanning dependencies, detecting vulnerabilities, and keeping packages updated.",[17,1745,1746,26,1749,124,1754,124,1759,124,1764,124,1769,124,1774,124,1779,124,1784,124,1789,124,1794,124,1799],{},[23,1747,1748],{},"Vulnerability scanning:",[28,1750,1753],{"href":1751,"rel":1752},"https:\u002F\u002Fsnyk.io",[122],"Snyk",[28,1755,1758],{"href":1756,"rel":1757},"https:\u002F\u002Fsocket.dev",[122],"Socket",[28,1760,1763],{"href":1761,"rel":1762},"https:\u002F\u002Fgithub.com\u002Fanchore\u002Fgrype",[122],"Grype",[28,1765,1768],{"href":1766,"rel":1767},"https:\u002F\u002Ftrivy.dev",[122],"Trivy",[28,1770,1773],{"href":1771,"rel":1772},"https:\u002F\u002Fdocs.npmjs.com\u002Fcli\u002Fcommands\u002Fnpm-audit",[122],"npm audit",[28,1775,1778],{"href":1776,"rel":1777},"https:\u002F\u002Fgithub.com\u002Fpypa\u002Fpip-audit",[122],"pip-audit",[28,1780,1783],{"href":1781,"rel":1782},"https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit",[122],"bundler-audit",[28,1785,1788],{"href":1786,"rel":1787},"https:\u002F\u002Fgithub.com\u002Frustsec\u002Frustsec",[122],"cargo-audit",[28,1790,1793],{"href":1791,"rel":1792},"https:\u002F\u002Fgithub.com\u002Fpyupio\u002Fsafety",[122],"safety",[28,1795,1798],{"href":1796,"rel":1797},"https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002F",[122],"OSV-Scanner",[28,1800,1803],{"href":1801,"rel":1802},"https:\u002F\u002Fowasp.org\u002Fwww-project-dependency-check\u002F",[122],"Dependency-Check",[17,1805,1806,26,1809,124,1814,124,1817,124,1822,124,1825,124,1830,124,1835],{},[23,1807,1808],{},"Dependency updates:",[28,1810,1813],{"href":1811,"rel":1812},"https:\u002F\u002Fgithub.com\u002Fdependabot",[122],"Dependabot",[28,1815,1758],{"href":1756,"rel":1816},[122],[28,1818,1821],{"href":1819,"rel":1820},"https:\u002F\u002Fwww.mend.io\u002Frenovate\u002F",[122],"Renovate",[28,1823,1753],{"href":1751,"rel":1824},[122],[28,1826,1829],{"href":1827,"rel":1828},"https:\u002F\u002Fdepfu.com",[122],"Depfu",[28,1831,1834],{"href":1832,"rel":1833},"https:\u002F\u002Fgithub.com\u002Fjazzband\u002Fpip-tools",[122],"pip-tools",[28,1836,1839],{"href":1837,"rel":1838},"https:\u002F\u002Fgithub.com\u002Fopenrewrite\u002Frewrite",[122],"OpenRewrite",[17,1841,1842,26,1845,124,1848],{},[23,1843,1844],{},"Malware detection:",[28,1846,1758],{"href":1756,"rel":1847},[122],[28,1849,1852],{"href":1850,"rel":1851},"https:\u002F\u002Fgithub.com\u002FDataDog\u002Fguarddog",[122],"GuardDog",[17,1854,1855,26,1858,124,1863,124,1866,124,1869,124,1874,124,1879,124,1884,124,1889,124,1894,124,1899,124,1904,124,1909,124,1914],{},[23,1856,1857],{},"License compliance:",[28,1859,1862],{"href":1860,"rel":1861},"https:\u002F\u002Ffossa.com",[122],"FOSSA",[28,1864,1758],{"href":1756,"rel":1865},[122],[28,1867,1753],{"href":1751,"rel":1868},[122],[28,1870,1873],{"href":1871,"rel":1872},"https:\u002F\u002Fwww.mend.io",[122],"Mend",[28,1875,1878],{"href":1876,"rel":1877},"https:\u002F\u002Fwww.synopsys.com\u002Fsoftware-integrity\u002Fsecurity-testing\u002Fsoftware-composition-analysis.html",[122],"Black Duck",[28,1880,1883],{"href":1881,"rel":1882},"https:\u002F\u002Fwww.fossology.org",[122],"FOSSology",[28,1885,1888],{"href":1886,"rel":1887},"https:\u002F\u002Fgithub.com\u002Flicensee\u002Flicensee",[122],"licensee",[28,1890,1893],{"href":1891,"rel":1892},"https:\u002F\u002Fgithub.com\u002Faboutcode-org\u002Fscancode-toolkit",[122],"ScanCode Toolkit",[28,1895,1898],{"href":1896,"rel":1897},"https:\u002F\u002Fgithub.com\u002Faboutcode-org\u002Fscancode.io",[122],"ScanCode.io",[28,1900,1903],{"href":1901,"rel":1902},"https:\u002F\u002Fgithub.com\u002Faboutcode-org\u002Fdejacode",[122],"DejaCode",[28,1905,1908],{"href":1906,"rel":1907},"https:\u002F\u002Fgithub.com\u002FEmbarkStudios\u002Fcargo-deny",[122],"cargo-deny",[28,1910,1913],{"href":1911,"rel":1912},"https:\u002F\u002Fgithub.com\u002Fraimon49\u002Fpip-licenses",[122],"pip-licenses",[28,1915,1918],{"href":1916,"rel":1917},"https:\u002F\u002Fgithub.com\u002Fpivotal\u002FLicenseFinder",[122],"license_finder",[17,1920,1921,26,1924,124,1927,124,1930,124,1935,124,1938,124,1943],{},[23,1922,1923],{},"Software composition analysis:",[28,1925,1758],{"href":1756,"rel":1926},[122],[28,1928,1753],{"href":1751,"rel":1929},[122],[28,1931,1934],{"href":1932,"rel":1933},"https:\u002F\u002Fwww.sonatype.com",[122],"Sonatype",[28,1936,1878],{"href":1876,"rel":1937},[122],[28,1939,1942],{"href":1940,"rel":1941},"https:\u002F\u002Fwww.veracode.com\u002Fproducts\u002Fsoftware-composition-analysis",[122],"Veracode SCA",[28,1944,1862],{"href":1860,"rel":1945},[122],[17,1947,1948,26,1951,124,1956,124,1961,124,1966],{},[23,1949,1950],{},"CI security:",[28,1952,1955],{"href":1953,"rel":1954},"https:\u002F\u002Fdocs.zizmor.sh\u002F",[122],"Zizmor",[28,1957,1960],{"href":1958,"rel":1959},"https:\u002F\u002Fwww.stepsecurity.io",[122],"StepSecurity",[28,1962,1965],{"href":1963,"rel":1964},"https:\u002F\u002Fgithub.com\u002Fstep-security\u002Fharden-runner",[122],"Harden-Runner",[28,1967,1970],{"href":1968,"rel":1969},"https:\u002F\u002Fgithub.com\u002Fossf\u002Fallstar",[122],"OpenSSF Allstar",[17,1972,1973,26,1976],{},[23,1974,1975],{},"Fuzzing:",[28,1977,1980],{"href":1978,"rel":1979},"https:\u002F\u002Fgithub.com\u002Fgoogle\u002Foss-fuzz",[122],"OSS-Fuzz",[17,1982,1983,26,1986,124,1991],{},[23,1984,1985],{},"GitHub Actions lockfiles:",[28,1987,1990],{"href":1988,"rel":1989},"https:\u002F\u002Fgithub.com\u002Fchains-project\u002Fghasum",[122],"ghasum",[28,1992,1995],{"href":1993,"rel":1994},"https:\u002F\u002Fgithub.com\u002Fgjtorikian\u002Fgh-actions-lockfile",[122],"gh-actions-lockfile",[102,1997,1999],{"id":1998},"metadata-and-discovery-platforms","Metadata and discovery platforms",[17,2001,2002],{},"Services that aggregate package data across ecosystems.",[17,2004,2005,26,2008,124,2013,124,2018,124,2023,124,2028,124,2033],{},[23,2006,2007],{},"Cross-ecosystem:",[28,2009,2012],{"href":2010,"rel":2011},"https:\u002F\u002Fecosyste.ms",[122],"ecosyste.ms",[28,2014,2017],{"href":2015,"rel":2016},"https:\u002F\u002Fdeps.dev",[122],"deps.dev",[28,2019,2022],{"href":2020,"rel":2021},"https:\u002F\u002Flibraries.io",[122],"Libraries.io",[28,2024,2027],{"href":2025,"rel":2026},"https:\u002F\u002Fsnyk.io\u002Fadvisor\u002F",[122],"Snyk Advisor",[28,2029,2032],{"href":2030,"rel":2031},"https:\u002F\u002Fscorecard.dev",[122],"OpenSSF Scorecard",[28,2034,2037],{"href":2035,"rel":2036},"https:\u002F\u002Fgithub.com\u002Faboutcode-org\u002Fpurldb",[122],"PurlDB",[17,2039,2040,26,2043,124,2048,124,2053,124,2058,124,2063],{},[23,2041,2042],{},"Ecosystem-specific:",[28,2044,2047],{"href":2045,"rel":2046},"https:\u002F\u002Fnpms.io",[122],"npms.io",[28,2049,2052],{"href":2050,"rel":2051},"https:\u002F\u002Fbundlephobia.com",[122],"bundlephobia",[28,2054,2057],{"href":2055,"rel":2056},"https:\u002F\u002Fpkg-size.dev",[122],"pkg-size",[28,2059,2062],{"href":2060,"rel":2061},"https:\u002F\u002Fpypistats.org",[122],"PyPI Stats",[28,2064,2067],{"href":2065,"rel":2066},"https:\u002F\u002Fdeps.rs",[122],"deps.rs",[17,2069,2070,26,2073,124,2078],{},[23,2071,2072],{},"Cross-distro:",[28,2074,2077],{"href":2075,"rel":2076},"https:\u002F\u002Frepology.org",[122],"Repology",[28,2079,2082],{"href":2080,"rel":2081},"https:\u002F\u002Fpkgs.org",[122],"pkgs.org",[17,2084,2085,26,2088,124,2091,124,2096,124,2101],{},[23,2086,2087],{},"Dependency graphs:",[28,2089,2017],{"href":2015,"rel":2090},[122],[28,2092,2095],{"href":2093,"rel":2094},"https:\u002F\u002Fdocs.github.com\u002Fen\u002Fcode-security\u002Fsupply-chain-security\u002Funderstanding-your-software-supply-chain\u002Fabout-the-dependency-graph",[122],"GitHub Dependency Graph",[28,2097,2100],{"href":2098,"rel":2099},"https:\u002F\u002Fdocs.gitlab.com\u002Fee\u002Fuser\u002Fapplication_security\u002Fdependency_list\u002F",[122],"GitLab Dependency List",[28,2102,2105],{"href":2103,"rel":2104},"https:\u002F\u002Fsourcegraph.com",[122],"Sourcegraph",[17,2107,2108,26,2111,124,2116,124,2121,124,2126,124,2131,124,2136,124,2141],{},[23,2109,2110],{},"Advisory databases:",[28,2112,2115],{"href":2113,"rel":2114},"https:\u002F\u002Fosv.dev",[122],"OSV",[28,2117,2120],{"href":2118,"rel":2119},"https:\u002F\u002Fgithub.com\u002Fadvisories",[122],"GitHub Advisory Database",[28,2122,2125],{"href":2123,"rel":2124},"https:\u002F\u002Fnvd.nist.gov",[122],"NVD",[28,2127,2130],{"href":2128,"rel":2129},"https:\u002F\u002Fsecurity.snyk.io",[122],"Snyk Vulnerability Database",[28,2132,2135],{"href":2133,"rel":2134},"https:\u002F\u002Frubysec.com",[122],"RubySec",[28,2137,2140],{"href":2138,"rel":2139},"https:\u002F\u002Fgithub.com\u002Fpyupio\u002Fsafety-db",[122],"PyUp Safety DB",[28,2142,2145],{"href":2143,"rel":2144},"https:\u002F\u002Fgithub.com\u002Faboutcode-org\u002Fvulnerablecode",[122],"VulnerableCode",[17,2147,2148,26,2151,2156,2157,124,2162,124,2167,124,2172,124,2177],{},[23,2149,2150],{},"Package manager documentation:",[28,2152,2155],{"href":2153,"rel":2154},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms",[122],"ecosyste.ms docs"," covering ",[28,2158,2161],{"href":2159,"rel":2160},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms\u002Fpackage-manager-resolvers",[122],"resolvers",[28,2163,2166],{"href":2164,"rel":2165},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms\u002Fpackage-manager-archives",[122],"archives",[28,2168,2171],{"href":2169,"rel":2170},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms\u002Fpackage-manager-commands",[122],"CLI commands",[28,2173,2176],{"href":2174,"rel":2175},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms\u002Fpackage-manager-manifest-examples",[122],"manifest examples",[28,2178,2181],{"href":2179,"rel":2180},"https:\u002F\u002Fgithub.com\u002Fecosyste-ms\u002Fpackage-manager-hooks",[122],"lifecycle hooks",[102,2183,2185],{"id":2184},"sbom-and-supply-chain-tools","SBOM and supply chain tools",[17,2187,2188],{},"Tools for generating and consuming Software Bills of Materials, and for supply chain security more broadly.",[17,2190,2191,26,2194,124,2198,124,2201,124,2206,124,2211,124,2216,124,2221,124,2226],{},[23,2192,2193],{},"SBOM generators:",[28,2195,2197],{"href":1357,"rel":2196},[122],"Syft",[28,2199,1768],{"href":1766,"rel":2200},[122],[28,2202,2205],{"href":2203,"rel":2204},"https:\u002F\u002Fcyclonedx.org\u002Ftool-center\u002F",[122],"CycloneDX tools",[28,2207,2210],{"href":2208,"rel":2209},"https:\u002F\u002Fspdx.dev\u002Fuse\u002Ftools\u002F",[122],"SPDX tools",[28,2212,2215],{"href":2213,"rel":2214},"https:\u002F\u002Fgithub.com\u002Ftern-tools\u002Ftern",[122],"Tern",[28,2217,2220],{"href":2218,"rel":2219},"https:\u002F\u002Fgithub.com\u002Fkubernetes-sigs\u002Fbom",[122],"Bom",[28,2222,2225],{"href":2223,"rel":2224},"https:\u002F\u002Fgithub.com\u002FCycloneDX\u002Fcdxgen",[122],"cdxgen",[28,2227,2230],{"href":2228,"rel":2229},"https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fsbom-tool",[122],"sbom-tool",[17,2232,2233,26,2236,124,2241,124,2246],{},[23,2234,2235],{},"SBOM management:",[28,2237,2240],{"href":2238,"rel":2239},"https:\u002F\u002Fgithub.com\u002Fsbomify\u002Fsbomify",[122],"sbomify",[28,2242,2245],{"href":2243,"rel":2244},"https:\u002F\u002Fdependencytrack.org",[122],"Dependency-Track",[28,2247,2250],{"href":2248,"rel":2249},"https:\u002F\u002Fguac.sh",[122],"GUAC",[17,2252,2253,26,2256],{},[23,2254,2255],{},"SBOM libraries:",[28,2257,2260],{"href":2258,"rel":2259},"https:\u002F\u002Fgithub.com\u002Fprotobom\u002Fprotobom",[122],"Protobom",[17,2262,2263,26,2266,124,2271,124,2276],{},[23,2264,2265],{},"SBOM formats:",[28,2267,2270],{"href":2268,"rel":2269},"https:\u002F\u002Fcyclonedx.org",[122],"CycloneDX",[28,2272,2275],{"href":2273,"rel":2274},"https:\u002F\u002Fspdx.dev",[122],"SPDX",[28,2277,2280],{"href":2278,"rel":2279},"https:\u002F\u002Fcsrc.nist.gov\u002Fprojects\u002FSoftware-Identification-SWID",[122],"SWID",[17,2282,2283,26,2286,124,2291,124,2296],{},[23,2284,2285],{},"SBOM quality:",[28,2287,2290],{"href":2288,"rel":2289},"https:\u002F\u002Fgithub.com\u002FeBay\u002Fsbom-scorecard",[122],"sbom-scorecard",[28,2292,2295],{"href":2293,"rel":2294},"https:\u002F\u002Fgithub.com\u002Finterlynk-io\u002Fsbomqs",[122],"sbomqs",[28,2297,2300],{"href":2298,"rel":2299},"https:\u002F\u002Fgithub.com\u002Fspdx\u002Fntia-conformance-checker",[122],"ntia-conformance-checker",[17,2302,2303,26,2306,124,2311,124,2316,124,2321,124,2326],{},[23,2304,2305],{},"Provenance:",[28,2307,2310],{"href":2308,"rel":2309},"https:\u002F\u002Fslsa.dev",[122],"SLSA",[28,2312,2315],{"href":2313,"rel":2314},"https:\u002F\u002Fgithub.com\u002Fslsa-framework\u002Fslsa-verifier",[122],"slsa-verifier",[28,2317,2320],{"href":2318,"rel":2319},"https:\u002F\u002Fdocs.github.com\u002Fen\u002Factions\u002Fsecurity-for-github-actions\u002Fusing-artifact-attestations",[122],"GitHub Artifact Attestations",[28,2322,2325],{"href":2323,"rel":2324},"https:\u002F\u002Fgithub.com\u002Fin-toto\u002Fwitness",[122],"Witness",[28,2327,2330],{"href":2328,"rel":2329},"https:\u002F\u002Fnotaryproject.dev",[122],"Notary",[17,2332,2333,26,2336,124,2341,124,2346,124,2351],{},[23,2334,2335],{},"Reproducible builds:",[28,2337,2340],{"href":2338,"rel":2339},"https:\u002F\u002Freproducible-builds.org",[122],"Reproducible Builds",[28,2342,2345],{"href":2343,"rel":2344},"https:\u002F\u002Fgithub.com\u002Fgoogle\u002Foss-rebuild",[122],"oss-rebuild",[28,2347,2350],{"href":2348,"rel":2349},"https:\u002F\u002Fgithub.com\u002Fkpcyrd\u002Frebuilderd",[122],"rebuilderd",[28,2352,2355],{"href":2353,"rel":2354},"https:\u002F\u002Fdiffoscope.org",[122],"diffoscope",[17,2357,2358,26,2361,2366,2367,124,2372,124,2377],{},[23,2359,2360],{},"Policy enforcement:",[28,2362,2365],{"href":2363,"rel":2364},"https:\u002F\u002Fwww.openpolicyagent.org",[122],"OPA","\u002F",[28,2368,2371],{"href":2369,"rel":2370},"https:\u002F\u002Fopen-policy-agent.github.io\u002Fgatekeeper\u002F",[122],"Gatekeeper",[28,2373,2376],{"href":2374,"rel":2375},"https:\u002F\u002Fkyverno.io",[122],"Kyverno",[28,2378,2381],{"href":2379,"rel":2380},"https:\u002F\u002Fgithub.com\u002Fratify-project\u002Fratify",[122],"ratify",[102,2383,80],{"id":2384},"trusted-publishing",[17,2386,2387],{},"Infrastructure for verifying package provenance and integrity.",[17,2389,2390,2397,2398,2403],{},[23,2391,2392,1256],{},[28,2393,2396],{"href":2394,"rel":2395},"https:\u002F\u002Fsigstore.dev",[122],"Sigstore"," Keyless signing infrastructure (cosign, fulcio, rekor). Used by npm, PyPI, and others for provenance. ",[28,2399,2402],{"href":2400,"rel":2401},"https:\u002F\u002Fgithub.com\u002Fsigstore\u002Fpolicy-controller",[122],"policy-controller"," enforces signature policies in Kubernetes.",[17,2405,2406,2413],{},[23,2407,2408,1256],{},[28,2409,2412],{"href":2410,"rel":2411},"https:\u002F\u002Ftheupdateframework.io\u002F",[122],"The Update Framework (TUF)"," Framework for secure software update systems. Used by PyPI, RubyGems, Homebrew.",[17,2415,2416,2423],{},[23,2417,2418,1256],{},[28,2419,2422],{"href":2420,"rel":2421},"https:\u002F\u002Fin-toto.io\u002F",[122],"in-toto"," Supply chain layout and verification. Ensures each step in the build pipeline was performed correctly.",[17,2425,2426,2433],{},[23,2427,2428,1256],{},[28,2429,2432],{"href":2430,"rel":2431},"https:\u002F\u002Fsbomit.dev\u002F",[122],"SBOMit"," Generates signed, in-toto attested SBOMs.",[17,2435,2436,2443],{},[23,2437,2438,1256],{},[28,2439,2442],{"href":2440,"rel":2441},"https:\u002F\u002Fgo.dev\u002Fref\u002Fmod#checksum-database",[122],"Go checksum database"," sum.golang.org provides a transparency log for Go module checksums.",[17,2445,2446,2453],{},[23,2447,2448,1256],{},[28,2449,2452],{"href":2450,"rel":2451},"https:\u002F\u002Fdocs.npmjs.com\u002Fgenerating-provenance-statements",[122],"npm provenance"," Links published packages to source commits and build logs via Sigstore.",[17,2455,2456,2463],{},[23,2457,2458,1256],{},[28,2459,2462],{"href":2460,"rel":2461},"https:\u002F\u002Fdocs.pypi.org\u002Ftrusted-publishers\u002F",[122],"PyPI Trusted Publishers"," OIDC-based publishing from GitHub Actions, GitLab CI, and other CI providers.",[102,2465,2467],{"id":2466},"monorepo-and-workspace-tools","Monorepo and workspace tools",[17,2469,2470],{},"Tools for managing multiple packages in a single repository.",[17,2472,2473,26,2476,124,2481,124,2486,124,2491,124,2496,124,2501,124,2506,124,2511],{},[23,2474,2475],{},"JavaScript:",[28,2477,2480],{"href":2478,"rel":2479},"https:\u002F\u002Fturbo.build",[122],"Turborepo",[28,2482,2485],{"href":2483,"rel":2484},"https:\u002F\u002Fnx.dev",[122],"Nx",[28,2487,2490],{"href":2488,"rel":2489},"https:\u002F\u002Flerna.js.org",[122],"Lerna",[28,2492,2495],{"href":2493,"rel":2494},"https:\u002F\u002Frushjs.io",[122],"Rush",[28,2497,2500],{"href":2498,"rel":2499},"https:\u002F\u002Fgithub.com\u002Fboltpkg\u002Fbolt",[122],"Bolt",[28,2502,2505],{"href":2503,"rel":2504},"https:\u002F\u002Fdocs.npmjs.com\u002Fcli\u002Fusing-npm\u002Fworkspaces",[122],"npm workspaces",[28,2507,2510],{"href":2508,"rel":2509},"https:\u002F\u002Fyarnpkg.com\u002Ffeatures\u002Fworkspaces",[122],"Yarn workspaces",[28,2512,2515],{"href":2513,"rel":2514},"https:\u002F\u002Fpnpm.io\u002Fworkspaces",[122],"pnpm workspaces",[17,2517,2518,26,2521,124,2526,124,2531,124,2536,124,2541,124,2544],{},[23,2519,2520],{},"Multi-language:",[28,2522,2525],{"href":2523,"rel":2524},"https:\u002F\u002Fbazel.build",[122],"Bazel",[28,2527,2530],{"href":2528,"rel":2529},"https:\u002F\u002Fwww.pantsbuild.org",[122],"Pants",[28,2532,2535],{"href":2533,"rel":2534},"https:\u002F\u002Fbuck.build",[122],"Buck",[28,2537,2540],{"href":2538,"rel":2539},"https:\u002F\u002Fplease.build",[122],"Please",[28,2542,2485],{"href":2483,"rel":2543},[122],[28,2545,2548],{"href":2546,"rel":2547},"https:\u002F\u002Fgerrit.googlesource.com\u002Fgit-repo\u002F",[122],"Repo",[17,2550,2551,26,2554,124,2557,124,2560,124,2565],{},[23,2552,2553],{},"Task runners:",[28,2555,2480],{"href":2478,"rel":2556},[122],[28,2558,2485],{"href":2483,"rel":2559},[122],[28,2561,2564],{"href":2562,"rel":2563},"https:\u002F\u002Fmoonrepo.dev",[122],"moon",[28,2566,2569],{"href":2567,"rel":2568},"https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fwireit",[122],"wireit",[17,2571,2572,26,2575,124,2578,124,2583,124,2588],{},[23,2573,2574],{},"Publishing:",[28,2576,2490],{"href":2488,"rel":2577},[122],[28,2579,2582],{"href":2580,"rel":2581},"https:\u002F\u002Fgithub.com\u002Fchangesets\u002Fchangesets",[122],"changesets",[28,2584,2587],{"href":2585,"rel":2586},"https:\u002F\u002Fsemantic-release.gitbook.io",[122],"semantic-release",[28,2589,2592],{"href":2590,"rel":2591},"https:\u002F\u002Fgithub.com\u002Frelease-it\u002Frelease-it",[122],"release-it",[102,2594,2596],{"id":2595},"build-tools-with-dependency-management","Build tools with dependency management",[17,2598,2599],{},"Build systems that include package management features.",[17,2601,2602,26,2605],{},[23,2603,2604],{},"Bazel:",[28,2606,2609],{"href":2607,"rel":2608},"https:\u002F\u002Fbazel.build\u002Fexternal\u002Fmodule",[122],"bzlmod",[17,2611,2612,26,2615,124,2620],{},[23,2613,2614],{},"CMake:",[28,2616,2619],{"href":2617,"rel":2618},"https:\u002F\u002Fcmake.org\u002Fcmake\u002Fhelp\u002Flatest\u002Fmodule\u002FFetchContent.html",[122],"FetchContent",[28,2621,2623],{"href":485,"rel":2622},[122],"CPM",[17,2625,2626,26,2629],{},[23,2627,2628],{},"Meson:",[28,2630,2633],{"href":2631,"rel":2632},"https:\u002F\u002Fmesonbuild.com\u002FWrap-dependency-system-manual.html",[122],"wraps",[17,2635,2636,26,2639,124,2644],{},[23,2637,2638],{},"Container builds:",[28,2640,2643],{"href":2641,"rel":2642},"https:\u002F\u002Fgithub.com\u002Fearthly\u002Fearthly",[122],"Earthly",[28,2645,2648],{"href":2646,"rel":2647},"https:\u002F\u002Fbuildpacks.io",[122],"Cloud Native Buildpacks",[102,2650,92],{"id":2651},"research",[17,2653,2654,2655,2659],{},"A longer list of academic work is in ",[28,2656,2658],{"href":2657},"\u002Freports\u002Fpackage-management-papers","Package Management Papers",".",[17,2661,2662,26,2665,124,2670,124,2675],{},[23,2663,2664],{},"Dependency analysis:",[28,2666,2669],{"href":2667,"rel":2668},"https:\u002F\u002Fgithub.com\u002Ffasten-project",[122],"FASTEN",[28,2671,2674],{"href":2672,"rel":2673},"https:\u002F\u002Fwww.softwareheritage.org",[122],"Software Heritage",[28,2676,2679],{"href":2677,"rel":2678},"https:\u002F\u002Fwww.mancoosi.org",[122],"Mancoosi",[17,2681,2682,26,2685,124,2690,124,2695,124,2700],{},[23,2683,2684],{},"Datasets:",[28,2686,2689],{"href":2687,"rel":2688},"https:\u002F\u002Fwww.gharchive.org",[122],"GH Archive",[28,2691,2694],{"href":2692,"rel":2693},"https:\u002F\u002Fworldofcode.org",[122],"World of Code",[28,2696,2699],{"href":2697,"rel":2698},"https:\u002F\u002Fgithub.com\u002Fdonald-pinckney\u002Fnpm-follower",[122],"npm-follower",[28,2701,2704],{"href":2702,"rel":2703},"https:\u002F\u002Fcodecommons.org\u002F",[122],"Code Commons",[17,2706,2707,26,2710,124,2715],{},[23,2708,2709],{},"Bloat detection:",[28,2711,2714],{"href":2712,"rel":2713},"https:\u002F\u002Fgithub.com\u002Fcastor-software\u002Fdepclean",[122],"DepClean",[28,2716,2719],{"href":2717,"rel":2718},"https:\u002F\u002Fgithub.com\u002Ffpgmaas\u002Fdeptry",[122],"deptry",[102,2721,2723],{"id":2722},"governance-and-best-practices","Governance and best practices",[17,2725,2726,2727,2731],{},"Registries don't just host files, they ",[28,2728,2730],{"href":2729},"\u002Fideas\u002Fpackage-registries-are-governance-as-a-service","make political choices"," about naming, ownership, and removal. These resources cover how ecosystems govern themselves.",[17,2733,2734,26,2737,124,2742,124,2747,124,2752],{},[23,2735,2736],{},"Working groups:",[28,2738,2741],{"href":2739,"rel":2740},"https:\u002F\u002Frepos.openssf.org\u002F",[122],"OpenSSF Securing Software Repos WG",[28,2743,2746],{"href":2744,"rel":2745},"https:\u002F\u002Fwww.pypa.io\u002F",[122],"Python Packaging Authority",[28,2748,2751],{"href":2749,"rel":2750},"https:\u002F\u002Fgithub.com\u002Fnodejs\u002Fpackage-maintenance",[122],"Node.js Package Maintenance WG",[28,2753,2756],{"href":2754,"rel":2755},"https:\u002F\u002Fsecurity.metacpan.org\u002F",[122],"CPAN Security Group",[17,2758,2759,26,2762,124,2767],{},[23,2760,2761],{},"Maturity models:",[28,2763,2766],{"href":2764,"rel":2765},"https:\u002F\u002Frepos.openssf.org\u002Fprinciples-for-package-repository-security.html",[122],"OpenSSF Principles for Package Repository Security",[28,2768,2771],{"href":2769,"rel":2770},"https:\u002F\u002Fbest.openssf.org\u002F",[122],"OpenSSF Best Practices Badge",[17,2773,2774,26,2777,124,2782,124,2787],{},[23,2775,2776],{},"RFC processes:",[28,2778,2781],{"href":2779,"rel":2780},"https:\u002F\u002Fgithub.com\u002Fnpm\u002Frfcs",[122],"npm RFCs",[28,2783,2786],{"href":2784,"rel":2785},"https:\u002F\u002Frust-lang.github.io\u002Frfcs\u002F",[122],"Rust RFCs",[28,2788,2791],{"href":2789,"rel":2790},"https:\u002F\u002Fpeps.python.org\u002F",[122],"Python PEPs",[17,2793,2794,26,2797,124,2802,124,2807,124,2812,124,2817],{},[23,2795,2796],{},"Registry policies:",[28,2798,2801],{"href":2799,"rel":2800},"https:\u002F\u002Fdocs.npmjs.com\u002Fpolicies\u002Fdisputes",[122],"npm disputes",[28,2803,2806],{"href":2804,"rel":2805},"https:\u002F\u002Fdocs.npmjs.com\u002Fpolicies\u002Funpublish",[122],"npm unpublish",[28,2808,2811],{"href":2809,"rel":2810},"https:\u002F\u002Fpypi.org\u002Fsecurity\u002F",[122],"PyPI security",[28,2813,2816],{"href":2814,"rel":2815},"https:\u002F\u002Fcrates.io\u002Fpolicies",[122],"crates.io policies",[28,2818,2821],{"href":2819,"rel":2820},"https:\u002F\u002Fguides.rubygems.org\u002Fsecurity\u002F",[122],"RubyGems.org security",[17,2823,2824,26,2827,124,2832],{},[23,2825,2826],{},"Compliance frameworks:",[28,2828,2831],{"href":2829,"rel":2830},"https:\u002F\u002Fowasp.org\u002Fwww-project-software-component-verification-standard\u002F",[122],"OWASP SCVS",[28,2833,2836],{"href":2834,"rel":2835},"https:\u002F\u002Fwww.openchainproject.org\u002F",[122],"OpenChain",[17,2838,2839,26,2842,124,2847,124,2852],{},[23,2840,2841],{},"Institutional guidance:",[28,2843,2846],{"href":2844,"rel":2845},"https:\u002F\u002Fcsrc.nist.gov\u002Fprojects\u002Fssdf",[122],"NIST SSDF",[28,2848,2851],{"href":2849,"rel":2850},"https:\u002F\u002Fwww.cisa.gov\u002Fresources-tools\u002Fresources\u002Fsecuring-software-supply-chain-recommended-practices-developers",[122],"CISA Software Supply Chain",[28,2853,2856],{"href":2854,"rel":2855},"https:\u002F\u002Ftag-security.cncf.io\u002Fcommunity\u002Fworking-groups\u002Fsupply-chain-security\u002F",[122],"CNCF Supply Chain Best Practices",[102,2858,2860],{"id":2859},"standards-and-specifications","Standards and specifications",[17,2862,2863],{},"Specifications that enable interoperability between tools.",[17,2865,2866,26,2869,124,2874,124,2879,124,2884],{},[23,2867,2868],{},"Package identification:",[28,2870,2873],{"href":2871,"rel":2872},"https:\u002F\u002Fgithub.com\u002Fpackage-url\u002Fpurl-spec",[122],"PURL",[28,2875,2878],{"href":2876,"rel":2877},"https:\u002F\u002Fgithub.com\u002Fpackage-url\u002Fpurl-spec\u002Fblob\u002Fmaster\u002FVERSION-RANGE-SPEC.rst",[122],"VERS",[28,2880,2883],{"href":2881,"rel":2882},"https:\u002F\u002Fnvd.nist.gov\u002Fproducts\u002Fcpe",[122],"CPE",[28,2885,2888],{"href":2886,"rel":2887},"https:\u002F\u002Fwww.swhid.org\u002F",[122],"SWHID",[17,2890,2891,26,2894,124,2898,124,2903,124,2908,124,2913],{},[23,2892,2893],{},"Vulnerability exchange:",[28,2895,2115],{"href":2896,"rel":2897},"https:\u002F\u002Fossf.github.io\u002Fosv-schema\u002F",[122],[28,2899,2902],{"href":2900,"rel":2901},"https:\u002F\u002Fwww.cve.org",[122],"CVE",[28,2904,2907],{"href":2905,"rel":2906},"https:\u002F\u002Fcwe.mitre.org",[122],"CWE",[28,2909,2912],{"href":2910,"rel":2911},"https:\u002F\u002Fgithub.com\u002Fopenvex\u002Fspec",[122],"OpenVEX",[28,2914,2917],{"href":2915,"rel":2916},"https:\u002F\u002Fgithub.com\u002Fopenvex\u002Fvexctl",[122],"vexctl",[17,2919,2920,26,2922,124,2925],{},[23,2921,2265],{},[28,2923,2270],{"href":2268,"rel":2924},[122],[28,2926,2275],{"href":2273,"rel":2927},[122],[17,2929,2930,26,2933,124,2936,124,2940],{},[23,2931,2932],{},"Supply chain:",[28,2934,2310],{"href":2308,"rel":2935},[122],[28,2937,2422],{"href":2938,"rel":2939},"https:\u002F\u002Fin-toto.io",[122],[28,2941,2944],{"href":2942,"rel":2943},"https:\u002F\u002Ftheupdateframework.io",[122],"TUF",[17,2946,2947,26,2950,124,2955,2960,2961,2964],{},[23,2948,2949],{},"Versioning:",[28,2951,2954],{"href":2952,"rel":2953},"https:\u002F\u002Fsemver.org",[122],"SemVer",[28,2956,2959],{"href":2957,"rel":2958},"https:\u002F\u002Fpeps.python.org\u002Fpep-0440\u002F",[122],"PEP 440"," (Python versions), ",[28,2962,1446],{"href":1444,"rel":2963},[122]," (npm range syntax)",[17,2966,2967,26,2970,2975,2976],{},[23,2968,2969],{},"Container:",[28,2971,2974],{"href":2972,"rel":2973},"https:\u002F\u002Fopencontainers.org\u002F",[122],"OCI"," (image and distribution specs), ",[28,2977,2980],{"href":2978,"rel":2979},"https:\u002F\u002Fgithub.com\u002Fopencontainers\u002Fimage-spec\u002Fblob\u002Fmain\u002Fartifacts-guidance.md",[122],"OCI Artifacts",[17,2982,2983,26,2986,2991],{},[23,2984,2985],{},"Signing envelopes:",[28,2987,2990],{"href":2988,"rel":2989},"https:\u002F\u002Fgithub.com\u002Fsecure-systems-lab\u002Fdsse",[122],"DSSE"," (Dead Simple Signing Envelope)",[2993,2994],"hr",{},[17,2996,2997,2998,3003,3004,2659],{},"Missing something? ",[28,2999,3002],{"href":3000,"rel":3001},"https:\u002F\u002Fgithub.com\u002Fandrew\u002Fnesbitt.io",[122],"Send a pull request"," or ",[28,3005,3008],{"href":3006,"rel":3007},"https:\u002F\u002Fgithub.com\u002Fandrew\u002Fnesbitt.io\u002Fissues",[122],"open an issue",{"title":3010,"searchDepth":3011,"depth":3011,"links":3012},"",2,[3013,3014,3015,3016,3017,3018,3019,3020,3021,3022,3023,3024,3025,3026,3027,3028,3029,3030],{"id":104,"depth":3011,"text":31},{"id":644,"depth":3011,"text":36},{"id":898,"depth":3011,"text":899},{"id":975,"depth":3011,"text":976},{"id":1057,"depth":3011,"text":1058},{"id":1242,"depth":3011,"text":1243},{"id":1336,"depth":3011,"text":1337},{"id":1472,"depth":3011,"text":60},{"id":1606,"depth":3011,"text":64},{"id":1739,"depth":3011,"text":1740},{"id":1998,"depth":3011,"text":1999},{"id":2184,"depth":3011,"text":2185},{"id":2384,"depth":3011,"text":80},{"id":2466,"depth":3011,"text":2467},{"id":2595,"depth":3011,"text":2596},{"id":2651,"depth":3011,"text":92},{"id":2722,"depth":3011,"text":2723},{"id":2859,"depth":3011,"text":2860},"https:\u002F\u002Fnesbitt.io\u002F2026\u002F01\u002F03\u002Fthe-package-management-landscape","nesbitt.io","package-management","2026-01-03","A directory of tools, systems, and services that relate to package management.","md",false,null,{},true,"\u002Freports\u002Fthe-package-management-landscape",{"title":10,"description":3035},"reports\u002Fthe-package-management-landscape","QQ8dpY4KX7_TWwMcDkFajZ5nYbIabqHvgaDs2ABHYqI",1780596102968]