#package-management

The article discusses features from npmx that other package managers should consider adopting. It highlights specific capabilities that could improve developer workflows and tooling efficiency across different ecosystems.

The author discusses switching from Uv to PDM for Python dependency management, noting PDM's advantages in handling monorepos and its plugin ecosystem. The transition involved adapting workflows and configuration files to the new tool.

The mise project has been renamed to Aube, marking a new phase for the Node.js version management tool. This change represents a fresh start while maintaining the tool's core functionality for managing Node installations.

The article discusses implementing package cooldowns using Software Bill of Materials (SBOMs) to manage software supply chain security. It explains how SBOMs can help identify and control package usage during vulnerability response periods.

The article discusses missing features in Bundler, Ruby's dependency management tool. It highlights areas where the tool could be improved to better serve developers' needs in managing Ruby project dependencies.

The article discusses a proposal to add dependency cooldowns to Go, which would delay automatic updates to new dependency versions. Despite Go's minimum version selection feature, developers often update dependencies quickly through tools like Dependabot, creating potential issues. The author suggests implementing cooldown settings in go.mod files to ensure consistent application across projects.

Fedora systems accumulate old GPG keys from RPM packages over time. The clean-rpm-gpg-pubkey tool helps remove obsolete keys, while manual removal may be needed for re-issued expired keys that cause DNF update issues.

The article describes a process for updating Ubuntu packages with local changes using dgit. It explains steps including creating a backup branch, fetching upstream updates, discarding the debian/changelog commit before rebasing, and then creating a new changelog entry. The method allows users to maintain their local modifications while incorporating new upstream package updates.

FreeBSD 15 now allows managing the entire system through the pkg package manager using freebsd-base (pkgbase), moving away from the traditional split where freebsd-update handled the base system. The author reports positive experiences with pkg-based management on multiple FreeBSD 15 installations, finding updates painless and the unified approach easier to manage.

The npm audit tool reports 99 vulnerabilities, with 84 categorized as moderately irrelevant and 15 as highly irrelevant. The article argues that npm audit is fundamentally flawed in its design approach to vulnerability reporting.

The article discusses security defenses for AI agents, including lockfiles, sandboxes, and cooldown timers as protective measures.

The author announces they are abandoning RubyGems as a package manager for their projects, citing concerns about its governance and maintenance. They will move their projects to alternative distribution methods while continuing to support existing RubyGems releases.

The article explains how to implement flake checks in shell scripts for Nix projects. It demonstrates using shell scripts to run checks and tests as part of the Nix flake development workflow.

The article describes how to create ad-hoc Emacs packages using Nix with just a few lines of code. It explains a method for quickly packaging Emacs configurations and extensions in the Nix ecosystem.

A supply chain attack has compromised the popular npm axios HTTP client library with 300 million weekly downloads. Malicious versions install a remote access trojan, though some users may have avoided infection through version pinning or older installations. Security experts warn this is a live compromise affecting one of npm's most depended-on packages.