Language package registries (npm, PyPI, RubyGems, etc.) behave structurally like Debian's 'unstable' channel — any authenticated publisher can push any version and it becomes the default resolution target within minutes, with no promotion gate. Unlike OS package managers, which default to stable channels and require packages to pass through testing before reaching users, language registries offer only one lane that behaves like the bleeding-edge one. This design is a root cause of recurring supply-chain attacks, not a series of unlucky incidents. The author traces how the ecosystem is slowly reconstructing Debian's promotion model piecemeal — through cooldown flags in pnpm, npm, uv, pip, and Bun, through proxy tools like devpi and Athens, and through registry-level experiments like gem.coop — without using the vocabulary or acknowledging the prior art. Stackage is cited as an existence proof that a curated stable lane can be layered over an open registry. The author argues that if npm or PyPI honestly labeled their index as a development staging area (like Debian sid), few teams would deliberately point production builds at it — yet every production build does exactly that today because no alternative has ever been offered.
Table of contents
The integration problem #The urgency objection #Cooldowns, proxies, and promotion pipelines #Sort: