andrewnez

andrewnez, 6 days ago to random

Been doing some research into GitHub Sponsors the past few days.

Out of 27k accounts analysed:

~12k had at least one sponsor,
~2k had at least 10 sponsors,
~900 have more than 100 sponsors 78 more than 1000 (past or present)

About 10% of GitHub sponsor accounts are organizations, 90% individuals.

voxpelli, 14 days ago to random

Me bombarding the @ecosystems API with the new refresh command in my list-dependents-cli 🙈 https://github.com/voxpelli/list-dependents-cli/releases/tag/v1.4.0

@ecosystems Maybe I should get myself some kind of API-key and enable my tool to be given an API-key? Because I'm for sure doing more than 5k requests per hour right now

Animation of me updating ≈3000 dependencies

Di4na, 1 month ago to opensource

PSA:

If you want to create an event to workshop solutions to help heavily ressource constrained maintainers, consider starting from the pov of "what kind of event a resource constrained maintainer could participate in".

Otherwise, your event will join the long list of useless one.

#opensource #foss

andrewnez, 1 month ago to random

I've been playing around with the concept of a "blast radius" for open source security advisories.

The "blast radius" is the log of severity of the advisory (I'm using CVSS score) multiplied by the number of repositories that depend upon that package.

The idea being that a moderate vulnerability in a very popular library has a potentially bigger impact than a critical cve in an unpopular one.

You can see what that looks like when applied to existing advisories here: https://advisories.ecosyste.ms/advisories?order=desc&sort=blast_radius

andypiper, 1 month ago to random

Welp. Flight cancelled and rebooked on a 4pm departure. A day at Heathrow. Joy.

andrewnez, 1 month ago to random

Did a little hacking for a talk I'm giving on Saturday.

See which platforms and websites are most referenced in relation to funding of open source software packages: https://packages.ecosyste.ms/funding/platforms

This is from parsing Funding.yml files, funding links in registry metadata and github sponsor metadata from repository owners.

andrewnez, 1 month ago to random

GitHub Copilot is feeling lazy this morning 😴

andrewnez, 2 months ago to random

Is there such a thing as a “toot” button to embed in websites? https://github.com/andrew/first-pr/issues/1015 cc @andypiper

andrewnez, 2 months ago to random

Autogenerated (maybe via AI?) npm package networks are popping up more frequently now.

Example: https://www.npmjs.com/package/quiet-troops-web3-circus?activeTab=dependents

These packages all have many dependencies and dependents with significant amounts of other dependents.

A lot of the code in them seems to related to crypto wallets, could well be trying to game some kind of funding scheme somewhere. https://www.npmjs.com/~mattewgraham

They all have wild version numbers as well:

glyph, 2 months ago to random

Some Glyph website housekeeping updates today. In the spirit of trying to move towards <https://indieweb.org/POSSE>, I updated the URL in SponCom to be something under my control instead of pointing straight at Patreon: <https://github.com/glyph/SponCom/commit/0ae90e5a21b2e10e3c2f4aba653542b206baf5f4> and finally got around to updating the apex page of <https://glyph.im/> to at least be a redirect instead of this obscure decade-old web-technology gag: <https://glyph.im/glyph.svg>.

andrewnez, 4 months ago to random

I made the ultimate awesome list from all the awesome lists that @ecosystems has discovered so far: https://github.com/andrew/ultimate-awesome

I wonder how long it will take the awesome service to discover this new list and add it to itself 🤔

andrewnez, 4 months ago to random

Just finished deploying a little service I wrote over the holidays to discover and parse Awesome lists: https://awesome.ecosyste.ms

So far it's discovered 2,000 awesome lists and almost 200,000 items listed in them, around 50% of which are GitHub repositories.

Code: https://github.com/ecosyste-ms/awesome

andrewnez, 5 months ago to random

A little project I helped work on went live today: https://climatetriage.com

Discover a meaningful way to contribute to open source projects focused on climate technology and sustainability.

Blog post with more details: https://opensustain.tech/blog/launch_climate_triage/

blaine, 5 months ago to random

While I fully, really, completely get all the arguments on every side around Meta implementing ActivityPub, I'll confess to not understanding the profound concern that this will kill the fediverse.

Federated social media never "belonged" to anyone. Feel free to block Threads. Build disparate communities!
Or federate with them!

The network and power dynamics are not & will not be any way worse than they are now, or before Threaderation, or before Musk bought Twitter. They are only better*.

andrewnez, 5 months ago to random

@andypiper not sure how I missed it but congrats on the new role at mastodon!

olivierlacan, 7 months ago to random

Is anybody aware of existing solutions that:

• scan all (multi-lingual) codebases of a given organization on code hosting platforms
• retrieve all third-party dependencies in use
• aggregate all versions of each dependency in use
• aggregate the licenses for each version of each dependency

I'd be shocked if something like this didn't exist, probably on the very expensive side of "Entreprise SaaS". This feels very tangential to tools like Dependabot, Snyk, etc.

Boosts welcome for reach.