[{"data":1,"prerenderedAt":392},["ShallowReactive",2],{"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns":3,"\u002Fideas":8},["Island",4],{"key":5,"result":6},"NoscriptNav_XrRK2e2e8meJ0jKVGkb5ULGQDVi3UiFQ9nupAr7Yns",{"head":7},{},[9,22,31,39,46,52,59,65,72,78,84,90,96,103,109,115,121,127,133,139,145,151,157,163,169,175,181,187,192,198,204,210,216,222,228,234,240,246,252,259,265,271,277,283,289,295,301,307,313,319,325,331,337,343,349,355,361,367,373,379,385],{"path":10,"title":11,"description":12,"authors":13,"date":15,"category":16,"featured":17,"hidden":18,"ctaText":19,"ctaAction":20,"ctaLink":21},"\u002Fideas\u002Fa-research-lab-for-open-source","A Research Lab for Open Source","We're launching the world's first research lab dedicated to Open Source sustainability.",[14],"vlad","2026-07-30","philosophy",false,true,"Want to strengthen Open Source together?","Sponsor us","\u002Fsponsor",{"path":23,"title":24,"description":25,"authors":26,"date":28,"category":29,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fospos-impact-funding","How OSPOs can Measure the Impact of OSS Funding","Measuring the impact of open source funding can help justify future rounds of funding",[27],"dawn","2026-06-02","funding-tech-infrastructure",null,{"path":32,"title":33,"description":34,"authors":35,"date":37,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fgithub-actions-security-in-python-packages","GitHub Actions security in Python packages","Thank you Dr. Zizmor",[36],"andrew","2026-05-25","software-supply-chains",{"path":40,"title":41,"description":42,"authors":43,"date":44,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fsigning-is-for-the-bad-days","Signing is for the bad days","TUF, in-toto, and Sigstore only look pointless while nothing is on fire",[36],"2026-05-24","package-management",{"path":47,"title":48,"description":49,"authors":50,"date":51,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fdependency-pruning","Dependency Pruning","A survey of unused-dependency detectors",[36],"2026-05-22",{"path":53,"title":54,"description":55,"authors":56,"date":57,"category":58,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fnvim-treesitter-burnout","Open Source Burnout Claims Another Project","Yet another OSS maintainer quits because of burnout. To fix this, we need better mental health resources for maintainers.",[14],"2026-05-20","maintainer-well-being",{"path":60,"title":61,"description":62,"authors":63,"date":64,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Flanguage-registries-are-unstable-by-default","Language Registries Are Unstable by Default","apt install -t unstable, but make it your whole personality",[36],"2026-05-15",{"path":66,"title":67,"description":68,"authors":69,"date":70,"category":71,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fcentrality-is-not-vitality","Centrality is not vitality","Don't automatically reach for PageRank on dependency graphs",[36],"2026-05-14","software-metrics",{"path":73,"title":74,"description":75,"authors":76,"date":77,"category":71,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-mismeasure-of-open-source","The Mismeasure of Open Source","The streetlight effect in project-health scoring",[36],"2026-05-09",{"path":79,"title":80,"description":81,"authors":82,"date":83,"category":38,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fweekend-at-bernies","Weekend at Bernie's","Which of your dependencies are wearing sunglasses",[36],"2026-05-08",{"path":85,"title":86,"description":87,"authors":88,"date":89,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Ffree-as-in-tribbles","Free as in Tribbles","The next metaphor after free-as-in-puppy",[36],"2026-05-07",{"path":91,"title":92,"description":93,"authors":94,"date":95,"category":38,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Frevisiting-the-2015-open-source-census","Revisiting the 2015 Open Source Census","The riskiest projects in open source, scored a decade early",[36],"2026-05-06",{"path":97,"title":98,"description":99,"authors":100,"date":101,"category":102,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fa-github-for-maintainers","A GitHub for maintainers","Giving dependencies the same treatment the fork got",[36],"2026-05-02","tooling",{"path":104,"title":105,"description":106,"authors":107,"date":108,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpatching-and-forking-in-package-managers","Patching and forking in package managers","What to do when upstream ghosts you",[36],"2026-05-01",{"path":110,"title":111,"description":112,"authors":113,"date":114,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fgithub-actions-is-the-weakest-link","GitHub Actions is the weakest link","Anne Robinson would like a word with .github\u002Fworkflows",[36],"2026-04-28",{"path":116,"title":117,"description":118,"authors":119,"date":120,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-stages-of-package-installation","The stages of package installation","Denial, anger, bargaining, depression, acceptance, postinstall.",[36],"2026-04-27",{"path":122,"title":123,"description":124,"authors":125,"date":126,"category":102,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Ffeatures-everyone-should-steal-from-npmx","Features everyone should steal from npmx","What happens when users design their own package registry frontend",[36],"2026-04-16",{"path":128,"title":129,"description":130,"authors":131,"date":132,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fstanding-on-the-shoulders-of-homebrew","Standing on the shoulders of Homebrew","Rewriting the easy parts of Homebrew.",[36],"2026-04-14",{"path":134,"title":135,"description":136,"authors":137,"date":138,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fcommon-package-specification","Common Package Specification","Not the cross-ecosystem format the name suggests.",[36],"2026-04-13",{"path":140,"title":141,"description":142,"authors":143,"date":144,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwho-built-this","Who Built This?","Tracing a dependency back to its source commit.",[36],"2026-04-07",{"path":146,"title":147,"description":148,"authors":149,"date":150,"category":16,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwhat-does-open-source-mean","What does Open Source mean?","A stack of incompatible expectations.",[36],"2026-04-04",{"path":152,"title":153,"description":154,"authors":155,"date":156,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fnpms-defaults-are-bad","npm's Defaults Are Bad","The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.",[36],"2026-03-31",{"path":158,"title":159,"description":160,"authors":161,"date":162,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-fragmented-world-of-dependency-policy","The Fragmented World of Dependency Policy","Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.",[36],"2026-03-19",{"path":164,"title":165,"description":166,"authors":167,"date":168,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Freviewing-enisas-package-manager-advisory","Reviewing ENISA's Package Manager Advisory","Notes on ENISA's Technical Advisory for Secure Use of Package Managers.",[36],"2026-03-12",{"path":170,"title":171,"description":172,"authors":173,"date":174,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fif-it-quacks-like-a-package-manager","If It Quacks Like a Package Manager","Some tools waddle like package managers without learning to swim.",[36],"2026-03-08",{"path":176,"title":177,"description":178,"authors":179,"date":180,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpackage-managers-need-to-cool-down","Package Managers Need to Cool Down","A survey of dependency cooldown support across package managers and update tools.",[36],"2026-03-04",{"path":182,"title":183,"description":184,"authors":185,"date":186,"category":16,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fnpmx-a-lesson-in-open-source-collaboration-feedback-loops","npmx: A Lesson in Open Source's Collaboration Feedback Loops","npmx's success is reminding us why Open Source is such a special social phenomenon.",[14],"2026-03-03",{"path":188,"title":189,"description":190,"authors":191,"date":186,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpackage-management-is-naming-all-the-way-down","Package Management is Naming All the Way Down","There are two hard problems in computer science, and package managers found at least eight of them.",[36],{"path":193,"title":194,"description":195,"authors":196,"date":197,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Ftransitive-trust","Transitive Trust","You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?",[36],"2026-03-02",{"path":199,"title":200,"description":201,"authors":202,"date":203,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fdownstream-testing","Downstream Testing","Most library maintainers have no way to test against their dependents before releasing.",[36],"2026-03-01",{"path":205,"title":206,"description":207,"authors":208,"date":209,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Ftwo-kinds-of-attestation","Two Kinds of Attestation","The oldest problem in computer science, but with toasters.",[36],"2026-02-25",{"path":211,"title":212,"description":213,"authors":214,"date":215,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwhere-do-specifications-fit-in-the-dependency-tree","Where Do Specifications Fit in the Dependency Tree?","RFC 9110 is a phantom dependency with thousands of transitive dependents.",[36],"2026-02-23",{"path":217,"title":218,"description":219,"authors":220,"date":221,"category":16,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwhale-fall","Whale Fall","What happens when a large open source project dies.",[36],"2026-02-21",{"path":223,"title":224,"description":225,"authors":226,"date":227,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwhat-package-registries-could-borrow-from-oci","What Package Registries Could Borrow from OCI","OCI's storage primitives applied to package management.",[36],"2026-02-18",{"path":229,"title":230,"description":231,"authors":232,"date":233,"category":58,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Frespectful-open-source","Respectful Open Source","Maintainer attention as a finite resource.",[36],"2026-02-13",{"path":235,"title":236,"description":237,"authors":238,"date":239,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Flockfiles-killed-vendoring","Lockfiles Killed Vendoring","Why almost nobody vendors their dependencies anymore.",[36],"2026-02-10",{"path":241,"title":242,"description":243,"authors":244,"date":245,"category":45,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fwill-ai-make-package-managers-redundant","Will AI Make Package Managers Redundant?","Following the prompt registry idea to its logical conclusion.",[36],"2026-01-30",{"path":247,"title":248,"description":249,"authors":250,"date":251,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fzig-and-the-mxn-supply-chain-problem","Zig and the M×N Supply Chain Problem","Zig's long road to supply chain security.",[36],"2026-01-29",{"path":253,"title":254,"description":255,"authors":256,"date":257,"category":258,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-dependency-layer-in-digital-sovereignty","The Dependency Layer in Digital Sovereignty","Where package management fits in the digital sovereignty discussion.",[36],"2026-01-28","governance",{"path":260,"title":261,"description":262,"authors":263,"date":264,"category":38,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-c-shaped-hole-in-package-management","The C-Shaped Hole in Package Management","System package managers and language package managers are solving different problems that happen to overlap in the middle.",[36],"2026-01-27",{"path":266,"title":267,"description":268,"authors":269,"date":270,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpkgfed-activitypub-for-package-releases","PkgFed: ActivityPub for Package Releases","Follow serde@crates.io from your Mastodon account",[36],"2026-01-25",{"path":272,"title":273,"description":274,"authors":275,"date":276,"category":102,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Frewriting-git-pkgs-in-go","Rewriting git-pkgs in Go","The dependency history tool is now a single Go binary.",[36],"2026-01-24",{"path":278,"title":279,"description":280,"authors":281,"date":282,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpackage-management-is-a-wicked-problem","Package Management is a Wicked Problem","Why fixing package managers is harder than it looks.",[36],"2026-01-23",{"path":284,"title":285,"description":286,"authors":287,"date":288,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fa-protocol-for-package-management","A Protocol for Package Management","A shared vocabulary for resolution, publishing, and governance across ecosystems.",[36],"2026-01-22",{"path":290,"title":291,"description":292,"authors":293,"date":294,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fimportmap-lock","importmap.lock: a lockfile for the web","Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.",[36],"2026-01-19",{"path":296,"title":297,"description":298,"authors":299,"date":300,"category":102,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fmaking-git-pkgs-feel-like-git","Making git-pkgs feel like Git","What it takes to make a git subcommand feel native.",[36],"2026-01-04",{"path":302,"title":303,"description":304,"authors":305,"date":306,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fhow-dependabot-actually-works","How Dependabot Actually Works","Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives",[36],"2026-01-02",{"path":308,"title":309,"description":310,"authors":311,"date":312,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fthe-compact-index","The Compact Index: How Bundler Scales Dependency Resolution","The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.",[36],"2025-12-28",{"path":314,"title":315,"description":316,"authors":317,"date":318,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fhow-to-ruin-all-of-package-management","How to Ruin All of Package Management","Attach financial incentives to open source metrics and watch the spam flood in.",[36],"2025-12-27",{"path":320,"title":321,"description":322,"authors":323,"date":324,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fhow-uv-got-so-fast","How uv got so fast","uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.",[36],"2025-12-26",{"path":326,"title":327,"description":328,"authors":329,"date":330,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpackage-managers-keep-using-git-as-a-database","Package managers keep using git as a database, it never works out","Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.",[36],"2025-12-24",{"path":332,"title":333,"description":334,"authors":335,"date":336,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fcould-lockfiles-just-be-sboms","Could lockfiles just be SBOMs?","Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?",[36],"2025-12-23",{"path":338,"title":339,"description":340,"authors":341,"date":342,"category":258,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fpackage-registries-are-governance-as-a-service","Package Registries Are Governance Providers","Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.",[36],"2025-12-22",{"path":344,"title":345,"description":346,"authors":347,"date":348,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Ffederated-package-management","Federated Package Management and the Zooko Triangle","The trade-offs that make decentralized package management impractical",[36],"2025-12-21",{"path":350,"title":351,"description":352,"authors":353,"date":354,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fdocker-is-the-lockfile-for-system-packages","Docker is the Lockfile for System Packages","Why Docker filled the reproducibility gap that system package managers left open",[36],"2025-12-18",{"path":356,"title":357,"description":358,"authors":359,"date":360,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fhow-i-assess-open-source-libraries","How I Assess Open Source Libraries","What I actually look at when deciding whether to adopt a dependency.",[36],"2025-12-15",{"path":362,"title":363,"description":364,"authors":365,"date":366,"category":38,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fslopsquatting-meets-dependency-confusion","Slopsquatting meets Dependency Confusion","LLMs can leak internal package names, making dependency confusion attacks easier to scale.",[36],"2025-12-10",{"path":368,"title":369,"description":370,"authors":371,"date":372,"category":45,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fgithub-actions-package-manager","GitHub Actions Has a Package Manager, and It Might Be the Worst","GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning",[36],"2025-12-06",{"path":374,"title":375,"description":376,"authors":377,"date":378,"category":16,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fkeystone-maintainers-keep-the-internet-going","Keystone Maintainers Keep the Internet Going","“Keystone maintainers” is a good name for the most impactful Open Source maintainers.",[14],"2025-11-13",{"path":380,"title":381,"description":382,"authors":383,"date":384,"category":29,"featured":17,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fnot-paying-open-source-maintainers-is-expensive","Not Paying Open Source Maintainers Is Expensive","Not paying for the Open Source software you use can seem like a great deal — but it can end up costing you money.",[14],"2025-06-18",{"path":386,"title":387,"description":388,"authors":389,"date":391,"category":58,"featured":18,"hidden":17,"ctaText":30,"ctaAction":30,"ctaLink":30},"\u002Fideas\u002Fentitlement-in-open-source","Entitlement in Open Source","Homebrew experiences on entitled behaviour in open source, why boundaries matter for maintainers, and definitions for users, contributors and maintainers.",[390],"mike","2022-09-20",1783722776779]