I'm a software engineer based in the UK, mostly working with Ruby. I’ve spent over a decade working in the world of package management and software dependencies — building tools to make open source more understandable, discoverable, and sustainable.
These days I’m focused on Ecosyste.ms, a project that maps dependency networks across open-source ecosystems to identify the projects that really matter — the ones everything else relies on. It builds on ideas from Libraries.io, which I started and later sold to Tidelift, and takes the concept further with broader data coverage and deeper analysis.
I also created Octobox, which helps developers manage GitHub notifications, and 24 Pull Requests, an initiative to encourage open-source contributions during December.
- Package managers keep using git as a database, it never works out
- Could lockfiles just be SBOMs?
- Package Registries Are Governance Providers
- Jekyll Stats Plugin
- Federated Package Management and the Zooko Triangle
- Package Managers Devroom at FOSDEM 2026: Schedule Announced
- Why JavaScript Needed Docker
- Docker is the Lockfile for System Packages
- Typosquatting in Package Managers
- How I Assess Open Source Libraries
- go-bundler
- changelog-parser - Parse changelog files into structured data
- semgrep-codeql - Converted security rules fromcodeql to semgrep format.
- jekyll-stats - Jekyll plugin that generates site statistics
- typosquatting - Detect potential typosquatting packages across package ecosystems
- sbom - Parse, generate, and validate Software Bill of Materials (SBOM)
- oss-community-benchmarks - A benchmark framework where maintainers define what good AI-generated code looks like for their ecosystem.
- swhid - Generate and parse SoftWare Hash IDentifiers (SWHIDs)
- hanami-sprockets - An alternative to hanami-assets that doesn't rely on npm
- sidekiq-mcp - A Sidekiq plugin that provides an MCP (Model Context Protocol) server for LLMs to interact with Sidekiq queues, stats, and failed jobs