Fixed this :)

Andrew does a better job than we do at walking through the features of npmx.dev. We need to set up a resources page to link to these kinds of posts. If you care about registries, ecosystems, and open source, queue every single one of Andrew's posts to your reading list.

npmx social london #1 | Guild Apr 16th 5:00PM: Come join us in the pub! We have a table between 17:00 and 19:00 BST, after which the meetup officially ends but we'll likely all be around. Check the Bluesky thread to find out where...

we're having a little npmx social tonight in London! come join us for conversation, food, beer, and stickers 🥳

guild.host/events/npmx-...

Features everyone should steal from npmx What happens when users design their own package registry frontend

Features everyone should steal from @npmx.dev nesbitt.io/2026/04/16/f...

The Tuesday Test Like the Turing test but with more tacos.

The Tuesday test 🌮 nesbitt.io/2026/04/15/t...

Standing on the shoulders of Homebrew Rewriting the easy parts of Homebrew.

Standing on the shoulders of Homebrew: nesbitt.io/2026/04/14/s...

Common Package Specification Not the cross-ecosystem format the name suggests.

Common Package Specification: Not the cross-ecosystem format the name suggests.

nesbitt.io/2026/04/13/c...

Package Registries and Pagination - 100MB of metadata for 10,451 versions: nesbitt.io/2026/04/10/p...

Package Security Defenses for AI Agents Lockfiles, sandboxes, and cooldown timers.

Following on from yesterdays post about package security problems for AI agents, here's some potential defenses: nesbitt.io/2026/04/09/p...

Package Security Problems for AI Agents Packages all the way down, agents all the way up.

Package Security Problems for AI Agents: nesbitt.io/2026/04/08/p...

Recreating office-style pranks in a remote AI-loving world

Who Built This? Tracing a dependency back to its source commit.

Who Built This? nesbitt.io/2026/04/07/w...

Package management challenges with Andrew Nesbitt Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren’t very many people who loo...

I had a chat with @andrewnez.bsky.social about why creating a new package repository is so hard. There are a ton of little details like support from SBOM and vulnerability scanners nobody even thinks about. There are so many little details

Andrew does a great job explaining all this and more

screenshot of the first page of my “Stamp It! All Programs Must Report Their Version” blog post: Recently, during a production incident response, I guessed the root cause of an outage correctly within less than an hour (cool!) and submitted a fix just to rule it out, only to then spend many hours fumbling in the dark because we lacked visibility into version numbers and rollouts… 😞 This experience made me think about software versioning again, or more specifically about build info (build versioning, version stamping, however you want to call it) and version reporting. I realized that for the i3 window manager, I had solved this problem well over a decade ago, so it was really unexpected that the problem was decidedly not solved at work. In this article, I’ll explain how 3 simple steps (Stamp it! Plumb it! Report it!) are sufficient to save you hours of delays and stress during incident response. […]

screenshot of the last page of my “Stamp It! All Programs Must Report Their Version” blog post: Conclusion: Stamp it! Plumb it! Report it! My argument is simple: Stamping the VCS revision is conceptually easy, but very important! For example, if the production system from the incident I mentioned had reported its version, we would have saved multiple hours of mitigation time! Unfortunately, many environments only identify the build output (useful, but orthogonal), but do not plumb the VCS revision (much more useful!), or at least not by default. Your action plan to fix it is just 3 simple steps: Stamp it! Include the source VCS revision in your programs. This is not a new idea: i3 builds include their git-describe(1) revision since 2012! Plumb it! When building / packaging, ensure the VCS revision does not get lost. My “VCS rev with NixOS” case study section above illustrates several reasons why the VCS rev could get lost, which paths can work and how to fix the missing plumbing. Report it! Make your software print its VCS revision on every relevant surface, for example: […]

New blog post 🥳

Stamp It! All Programs Must Report Their Version

In this article, I’ll explain how 3 simple steps (Stamp it! Plumb it! Report it!) are sufficient to save you hours of delays and stress during incident response.

Read more: michael.stapelberg.ch/posts/2026-0...

#nix #golang #linux

The Cathedral and the Catacombs Stretching a metaphor deep into the floor.

The Cathedral and the Catacombs - Stretching a metaphor deep into the floor.

nesbitt.io/2026/04/06/t...

What does Open Source mean? A stack of incompatible expectations.

What does Open Source mean? nesbitt.io/2026/04/04/w...

Package Manager Easter Eggs A tour of the easter eggs hiding inside package managers.

Package Manager Easter Eggs: nesbitt.io/2026/04/03/p...

One of the strengths of Homebrew, despite it being unpopular, is being willing to break backwards compatibility when necessary.

NPM’s unwillingness to do so reflects GitHub’s: both show excessive caution that harm both security and usability.

npm’s Defaults Are Bad The npm client’s default settings are a root cause of JavaScript’s recurring supply chain security problems.

npm's Defaults Are Bad: nesbitt.io/2026/03/31/n...

npm’s Defaults Are Bad The npm client’s default settings are a root cause of JavaScript’s recurring supply chain security problems.

npm's Defaults Are Bad: nesbitt.io/2026/03/31/n...

Worst Advice Ever YouTube video by The PrimeTime

Turns out my blog was featured on a rather popular youtube channel: www.youtube.com/watch?v=DAHZ...

Git Diff Drivers What git’s diff drivers can do, from built-in language support to custom textconv filters.

Git Diff Drivers: nesbitt.io/2026/03/30/g...

The Roles of Packages Applying Sajaniemi’s roles of variables to packages across every kind of package manager.

The Roles of Packages: nesbitt.io/2026/03/29/t...

The Top 10 Biggest Conspiracies in Open Source I’m not connecting these dots. I’m just pointing out that the dots are there.

The Top 10 Biggest Conspiracies in Open Source: nesbitt.io/2026/03/25/t...

Captain America sat backwards on a chair like a camp counsellor

So your boss built a prototype on the train...

mynameismartin.co.uk/blog/your-bo...

How to Attract AI Bots to Your Open Source Project A practical guide to getting the engagement your project deserves.

How to Attract AI Bots to Your Open Source Project: nesbitt.io/2026/03/21/h...

(This post was contributed by an ai bot)

Package Manager Mirroring Every mirroring tool I could find, and the protocols underneath them.

Nerd sniped again, this time by @miketheman.com, into looking at how various package managers do mirroring: nesbitt.io/2026/03/20/p...

The Fragmented World of Dependency Policy Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.

The Fragmented World of Dependency Policy: nesbitt.io/2026/03/19/t...

Me too, some of the biggest I’ve ever seen this past couple weeks

Git Remote Helpers Git can talk to anything if you write the right helper.

Nerd sniped by Bastien Guerry of @softwareheritage.org into writing about git remote helpers: nesbitt.io/2026/03/18/g...