{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigjghodtorreyvzafrqssnlg7pqdagilwjgjw3sz2cc2xac27xzgm",
"uri": "at://did:plc:vzenumnmvvg6xrdnzya4ofix/app.bsky.feed.post/3mmx2nm44gwx2"
},
"path": "/2026/05/23/this-week-in-package-management.html",
"publishedAt": "2026-05-23T10:00:00.000Z",
"site": "https://nesbitt.io",
"tags": [
"package manager OPML feed collection",
"Mastodon",
"removing npm-shrinkwrap.json entirely",
"uv 0.11.15",
"TAR parser differential",
"entry points escaping the scripts directory",
"0.11.16",
"Ruby 4.0.5",
"The Register reports",
"postmortem of the Nx Console v18.95.0 compromise",
"dependabot-core issue",
"Deno 2.8",
"pnpm 11.2.2",
"conda 26.5.0",
"CEP 164–166",
"Composer 2.10.0-RC2",
"Homebrew 5.1.12",
"5.1.13",
"RubyGems and Bundler 4.0.12",
"Verdaccio 6.7.0",
"PDM 2.27.0",
"announced an official pkg.go.dev API",
"announced staged publishing and new install-source controls",
"package pruning in .NET 10",
"Python Packaging Summit recap",
"ACM Queue",
"announced an Ecosystem Security Team",
"malware filter list support live in Private Packagist",
"wrote up several months of contributions to zizmor",
"typosquatting audit",
"pypitoken-cli",
"diffify",
"listen to PyPI",
"Listen to Wikipedia",
"resurrecting OCaml system packaging",
"open VS Code issue",
"git-pkgs v0.16.1",
"brief",
"proxy",
"manifests",
"registries",
"resolve",
"forge",
"enrichment",
"spdx",
"outline",
"gitignore",
"@andrewnez@mastodon.social",
"@pnpm"
],
"textContent": "I’m trying out a weekly roundup built from the package manager OPML feed collection and whatever I’ve posted or boosted on Mastodon.\n\nnpm is removing npm-shrinkwrap.json entirely in the v12 prereleases. The command, the config alias, and the loader all gone; project-root shrinkwraps need renaming to `package-lock.json` and shipping a locked tree inside a tarball now means `bundleDependencies`.\n\n## Security\n\nuv 0.11.15 fixes two issues worth patching for: a TAR parser differential and entry points escaping the scripts directory. 0.11.16 followed with `uv audit` now refusing locked installs that match known-malware records.\n\nRuby 4.0.5 shipped with a fix for CVE-2026-46727; anyone on 4.0.0 through 4.0.4 should update.\n\nGitHub confirmed that around 4,000 of its own internal repositories were exfiltrated this week. The Register reports the entry point was a poisoned VS Code extension and attributes it to TeamPCP, the group behind the Shai-Hulud worm.\n\nThe Nx team published a postmortem of the Nx Console v18.95.0 compromise, another poisoned VS Code extension. The detail that stands out: the affected contributor had `minimum-release-age` set in `.npmrc`, but their pnpm was old enough to silently ignore the unknown key, so a 77-minute-old malicious package sailed through.\n\nA dependabot-core issue points out that the cooldown setting can be bypassed by an attacker who controls the version timestamps, which is most of them. Worth knowing if you’ve been treating it as a security control rather than a noise filter.\n\n## Releases\n\nDeno 2.8 makes npm the default registry: `deno add` and `deno install` now treat an unprefixed name as an npm package, with `jsr:` becoming the thing you opt into. It also ships `deno pack` for turning a Deno or JSR project into an npm-publishable tarball, plus `deno ci`, `deno why`, `deno audit fix`, a pnpm-style `catalog:` protocol, optional hoisted `node_modules`, and `min-release-age` support in `.npmrc`. Hard not to read a direction of travel into that list.\n\npnpm 11.2.2 adds an opt-in preview where adding `@pnpm/pacquet` to `configDependencies` hands the materialisation phase of `pnpm install` to the Rust port. Resolution stays in pnpm; pacquet just fetches and links from the lockfile.\n\nconda 26.5.0 lands parser support for conditional dependencies, optional dependency groups, and variant flags from CEP 164–166.\n\nComposer 2.10.0-RC2 is out with a call for testers; `composer self-update --preview` to try it, `--stable` to bail.\n\nHomebrew 5.1.12 adds `brew exec`, an npx-style launcher that finds which formula provides an executable and runs it. 5.1.13 followed with RubyGems licence checking in audit.\n\nRubyGems and Bundler 4.0.12 tidy up `BUNDLE_VERSION` handling and add a warning when an indirect dependency might be confused with a direct one.\n\nVerdaccio 6.7.0 bumps the Node baseline to 24 and starts soft-warning on older runtimes. PDM 2.27.0 does the same for Python, now requiring 3.10.\n\n## Articles\n\nThe Go team announced an official pkg.go.dev API: stateless GET endpoints for modules, versions, symbols, vulnerabilities, and search. No more scraping the HTML.\n\nnpm announced staged publishing and new install-source controls. `npm stage publish` uploads to a holding queue and a human with a 2FA challenge has to promote it before anyone can install. Alongside it, `--allow-file`, `--allow-remote`, and `--allow-directory` join `--allow-git` so you can lock installs to registry sources only; `--allow-git` flips to `none` by default in v12.\n\nThe NuGet blog wrote up package pruning in .NET 10, which trims transitive packages that the shared framework already provides and cuts the corresponding noise out of vulnerability reports.\n\nGábor Bernát posted his Python Packaging Summit recap from PyCon US, covering what got argued about in the room this year.\n\nA Bloomberg-authored piece in ACM Queue argues that companies need to move from passive consumption to active stewardship of the open source they depend on.\n\nThe PHP Foundation announced an Ecosystem Security Team funded by an Alpha-Omega grant. Packagist meanwhile has malware filter list support live in Private Packagist ahead of Composer 2.10.\n\nTrail of Bits wrote up several months of contributions to zizmor. A typosquatting audit for Actions references that I wrote also landed this week.\n\n## Elsewhere\n\npypitoken-cli from Catherine takes an account-scoped PyPI token and narrows it to a package-scoped one from the command line.\n\ndiffify shows what changed between two versions of a CRAN or PyPI package: function signatures, dependencies, namespace exports. listen to PyPI plays a note for every upload to the index, in the Listen to Wikipedia tradition.\n\nAnil Madhavapeddy has been resurrecting OCaml system packaging and writing up how it fits together.\n\nThe GitHub incident prompted an open VS Code issue asking for cooldowns on extension auto-updates. The Dependabot bypass above is a useful read before treating that as solved.\n\n## git-pkgs\n\nI tagged git-pkgs v0.16.1 along with a bunch of new versions other repos in the git-pkgs org: brief, proxy, manifests, registries, resolve, forge, enrichment, spdx, outline, and gitignore.\n\nSend links for next week to @andrewnez@mastodon.social.",
"title": "This Week in Package Management: 23 May 2026",
"updatedAt": "2026-05-23T10:00:00.000Z"
}