Dependency Management

Stdlib First

• Prefer the standard library over external dependencies
• Only add a dependency when it provides significant value over a stdlib solution

Declaration

• All dependencies declared in the project's manifest file (e.g., pyproject.toml, package.json, go.mod, Cargo.toml)
• No undeclared dependencies — if your code imports it, the manifest lists it

Pinning

• Pin versions or use a lock file to ensure reproducible builds
• Lock files are committed to the repo

No Vendoring

• Don't copy library source code into the repo
• Use the language's package manager to install dependencies

Dependency Groups

• Separate test/dev dependencies from production dependencies
• Use the project's convention for grouping (e.g., [test] extras, devDependencies, build tags)

CI Compatibility

• Every dependency must be installable in CI
• If something exists as a package, install it properly — don't skip tests because a dependency is "hard to install"