Package and Dependency Managers


Many projects share the need for package and dependency management.
While the individual requirements and type of dependencies can be different for each project most security critical applications that we’re building would profit from a package format with built-in security features such as signatures, checksums and digital certificates.
Other points of intersection are metadata standards, decentralized certificate “authorities”, and backends / infrastructure to store and discover packages such as IPFS & Swarm.

This post should serve as a starting point to find all stakeholders and begin a discussion on how our efforts can be channeled, how we can find synergies and solutions across the different projects so that we don’t have to re-invent the wheel.

Related Projects:

Related Standards:


Hey there, Santiago from Zeppelin here. We have been working with the concept of EVM packages for some time via ZeppelinOS. The idea is to set up packages where the code is already deployed to the network, and you just use pre-deployed contracts via proxies. The packages we’ve been working with have an interface compatible with those of Aragon’s.

However, it still requires a package manager to make some content available at development time. We’ve been relying on npm for now, but we’d love to support other platforms. We had some discussions with @gnidan regarding supporting EVM packages on top of ethpm, which would require a few additions to the current interface, but nothing that breaks compatibility with the ethpm standard.

On top of the package manager itself, we are also working on using a token to signal secure reusable packages, allowing users to vouch for the packages they use, and security researchers to profit from vulnerabilities they report. It’d be great to see this information integrated with package management tools, so a user can be informed on the degree of confidence of the dependencies they are working with.

Anyway, I’d love to be part of any discussions regarding package management, in order to work towards a standard solution.



Yann from Remix,
We are pretty much interested in this as we do have the need of securing (signatures, checksums and digital certificates) and storing (IPFS, swarm) metadatas for plugin definitions.

Beside that I think we should leverage the compilation result JSON I/O standard as described here
and propose a standard way of storing , discovering , retrieving compilation artefacts. This would serve as a base infrastructure that package managers can rely on.

So happy to contribute on this.


Hey all!
Nick here, I’ve been working on EthPM with gnidan. I completely agree that finding a standard to suit all the various use cases is crucial for the ecosystem. Imo the EthPM spec is a great base to build from (eg. Zeppelin EVM packages), but it might not cover all the use cases out there? I’d love to chat with anybody if they have any questions about the EthPM spec, or conflicts between EthPM and how they envision packaging.

Currently with EthPM we have our homepage with resources, a registry explorer @, and integration with and twig development tools. Integration with Truffle and web3.js is coming soon. If anybody has any questions, please shoot me an email ( I’m here to help.

Though it’s a tricky problem, I’d also love to contribute to adopting solution that helps users identify trustworthy packages/registries.

Also, short notice, but Piper (originator of the EthPM spec) and myself will be at EthDenver this weekend. As big fans of conversations in real life, we’d be happy to grab a table and continue this discussion over the weekend if anybody else is around.



Hi everyone,

I was busy working on some early draft for a specification and reference implementation of “ethereum signed packages” for the last weeks. We will incorporate package signing in the next version of mist and the accompanying application manager:

You can find the project repo here and a spec draft here.

You are all welcome to contribute on the issue tracker, with code or suggestions and feedback in this thread :slight_smile:

An EIP is on the way. Unfortunately, I won’t be at EThDenver but I will be at EthCC in Paris and give a short presentation about some of the changes. Would love to hear your input and feedback and have a discussion on how to improve the ecosystem and our application security.

Looking forward to our discussions.


Hi @ philipplgh, Dennison from Zeppelin here, I’ll be at EthCC in Paris and would love to chat about what you’re working on! What would be the best way to get in touch?



Will give a talk on the first day “Update on Mist”. Will talk a little bit about signed packages and package management too and we could continue the discussion afterwards or schedule a better time.