Post · bonfire.cafe

Post

@andrewnez@mastodon.social · 2 hours ago

Every new package manager has to convince OSV, PURL, Dependabot, Renovate, Snyk, Syft, deps.dev, GitHub, GitLab, JFrog, and Sonatype to care... separately.

Exploring all the steps @zig's package manager will need to take to be fully integrated into the OSS Security Ecosystem: https://nesbitt.io/2026/01/29/zig-and-the-mxn-supply-chain-problem.html

Andrew Nesbitt

@andrewnez@mastodon.social replied · 2 hours ago

Another case for https://nesbitt.io/2026/01/22/a-protocol-for-package-management.html

Andrew Nesbitt

A Protocol for Package Management

A shared vocabulary for resolution, publishing, and governance across ecosystems.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.7 no JS en

Automatic federation enabled