Developer Creates Comprehensive Matrix of Package Managers That Distribute Other Package Managers

A software developer has created a detailed visualization mapping how 42 package managers across different programming languages and operating systems distribute each other, revealing the complex interdependencies in modern software tooling. The project emerged from earlier work by Mike Fiedler documenting cases where package managers form circular dependencies—such as PyPI shipping a Node.js binary and npm shipping a Python interpreter, allowing pip and npm to hand control back and forth indefinitely.

The resulting matrix tracks which package managers are available in which registries, drawing data from ecosyste.ms language registries and Repology for distribution packages. System package managers like apt, DNF, pacman, and apk dominate as sources, with the Arch User Repository (AUR) carrying 40 of the 42 managers surveyed. Language-specific registries show more specialized patterns: PyPI is dense with cross-language tools written in Python such as Conan and Meson, while Maven Central unexpectedly redistributes JavaScript tools like npm and Yarn as JAR files through WebJars and mvnpm, enabling Java build systems to fetch frontend dependencies without running separate package managers.

A striking finding is that 25 of the 42 package managers ship themselves on their own registries. For system package managers, this is standard practice—apt and DNF update themselves as system packages. For language registries, commands like "pip install --upgrade pip" reflect the same pattern, with npm, Cargo, Composer, and Maven all using their own repositories as release channels. Homebrew notably stands apart among system managers by updating through git rather than packaging itself, leaving its self-distribution cell empty.

The research also surfaced practical complications in tracking package manager distributions. Simple name-based registry searches fail due to namespace collisions—"pip" on npm refers to a 2012 time-tracking tool, "homebrew" on PyPI is an abandoned placeholder, and "pacman" on npm is a static site generator. The developer resolved this by querying ecosyste.ms for packages linking to each manager's canonical source repository, yielding cleaner results at the cost of handling occasional false positives.

The matrix has implications for software security and maintenance. When a CVE affects pip, it must be tracked across multiple redistribution channels—as pkg:pypi/pip in the Python registry and as separate entries in Homebrew, conda-forge, nixpkgs, and Spack. Each redistributor must manage their own vulnerability tracking, creating coordination overhead that prompted the developer to write tooling for mapping Homebrew formulas back to upstream advisories. The visualization provides the first comprehensive view of these interdependencies in the broader software ecosystem.