Sunsetting a Package Manager
CocoaPods trunk goes read-only on December 2nd, 2026, freezing new uploads while keeping existing packages resolvable via GitHub and jsDelivr. The post examines how past registries (Bower, Bintray, JCenter, Atom apm) handled their sunsets across a spectrum from full shutdown to graceful redirect. A key concern is that a frozen registry eliminates the ability to patch vulnerabilities in published packages — a critical CVE in a widely-used pod like SDWebImage would have no canonical fix path after the freeze. The author explores the tradeoffs of different read-only strategies, the mutability risks of falling back to git-backed dependencies, and proposes a security-only publishing channel as a narrow exception worth considering before the freeze date forecloses the option.