Andrew Nesbitt

@andrewnez
1.7K Followers
726 Following
2.7K Posts
Package Management Nerd, working on mapping the world of open source software https://ecosyste.ms and blogging about package managers at https://nesbitt.io
GitHubhttps://github.com/andrew
Twitterhttps://twitter.com/teabass
Homepagehttps://nesbitt.io
bskyhttps://bsky.app/profile/andrewnez.bsky.social
Andrew Nesbitt8h ago
Andrew Nesbitt11h ago

Skills Registry Threat Models

https://nesbitt.io/2026/06/03/skills-registry-threat-models.html

Skills Registry Threat Models

How long until we see a CVE filed against a markdown file?

Andrew Nesbitt
Andrew Nesbitt11h ago

Skills Registry Threat Models

https://nesbitt.io/2026/06/03/skills-registry-threat-models.html

Skills Registry Threat Models

How long until we see a CVE filed against a markdown file?

Andrew Nesbitt
Andrew Nesbitt12h ago
Bernát Gábor12h ago
🌳 pipdeptree 3.0 is out. New: render a dependency tree straight from PyPI (needs index extra) or a PEP 751 lockfile without installing anything, render it in a Jupyter notebook, and see extras by default. Try it 👉 https://pipdeptree.readthedocs.io/en/latest/tutorial/getting-started.html#render-a-lock-file
Getting started - pipdeptree

Show threadAndrew Nesbitt12h ago
Can you guess what I've been investigating again 😓
Andrew Nesbitt13h ago
Show threadSeth Larson13h ago
@andrewnez pkg:markdown/SKILL.md?content=data:base64;deadbeef...
Andrew Nesbitt14h ago
How long until we see a CVE filed against a markdown file?
Andrew Nesbitt15h ago
Show threadMagyk15h ago
@andrewnez
Chore: bump version
Andrew Nesbitt16h ago
I love it when the first line of a changelog entry is "Updated changelog"
Andrew Nesbitt19h ago
Show threadmudge20h ago
“Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.” — https://blog.rubygems.org/2026/06/03/cooldown-let-new-gems-be-vetted.html
Cool down before you install: give new gems a few days to be vetted

Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. ...

RubyGems Blog
Andrew Nesbitt1d ago
Dr. Dawn Foster1d ago

So much of the critical infrastructure that we rely on contains open source projects that are under-resourced and struggling. One (of many) ways to help these projects is by funding development and maintenance so that contributors can focus on this work, but times are tough. OSPOs are feeling the pinch, and it can be hard to justify continuing to fund open source projects. Measuring the impact of funding open source isn’t easy, and there is no one approach, so I just wrote this blog post to help you get started.

https://fastwonderblog.com/2026/06/02/how-ospos-can-measure-the-impact-of-oss-funding/

How OSPOs can Measure the Impact of OSS Funding | Fast Wonder