add knowledge

docs/package-management.md

@@ -0,0 +1,56 @@
+# Package Management
+
+Declare dependencies explicitly, resolve them reproducibly, and isolate environments so projects don't interfere.
+
+## Tools by Language
+
+| Language | Recommended | Alternatives |
+|---|---|---|
+| Python | `uv` | pip, poetry, pipenv |
+| JavaScript | `pnpm` | npm, yarn |
+| Go | `go mod` | (built-in, no alternative needed) |
+| C++ | `conan`, `vcpkg` | cmake FetchContent |
+
+## Python — `uv`
+
+Fast resolver with lock files. Drop-in for pip + venv.
+
+```bash
+# create venv and install
+uv venv
+uv pip install -e ".[dev]"
+
+# add a dependency (updates pyproject.toml + lockfile)
+uv add requests
+
+# sync from lock file (reproducible installs)
+uv sync
+```
+
+`pyproject.toml` is the single source of truth for dependencies and tool config (PEP 517/518).
+
+## JavaScript — `pnpm`
+
+Faster and more disk-efficient than npm; compatible with npm ecosystem.
+
+```bash
+pnpm install          # install from lockfile
+pnpm add lodash       # add dependency
+pnpm dlx create-vite  # run one-off tool
+```
+
+## Go — `go mod`
+
+Built into the toolchain; no extra install needed.
+
+```bash
+go mod init github.com/you/myproject
+go get github.com/some/package@v1.2.3
+go mod tidy           # remove unused deps
+```
+
+## Key Principles
+
+- Always commit the lock file (`uv.lock`, `pnpm-lock.yaml`, `go.sum`)
+- Pin to a specific version in production; use ranges only in libraries
+- Separate dev dependencies from runtime dependencies