A weekly roundup of package management news covering security incidents, releases, and articles. Security highlights include uv 0.11.15/0.11.16 fixes, Ruby 4.0.5 CVE patch, a GitHub internal repo exfiltration via poisoned VS Code extension attributed to TeamPCP, and an Nx Console compromise postmortem. Release news covers Deno 2.8 making npm the default registry with new tooling, pnpm 11.2.2 adding a Rust-backed install phase via pacquet, conda 26.5.0, Composer 2.10.0-RC2, and Homebrew 5.1.12/5.1.13. Articles cover npm staged publishing with 2FA promotion gates, NuGet package pruning in .NET 10, the Python Packaging Summit recap, and the PHP Foundation's new Ecosystem Security Team.
Sort: