# Package Management

Declare dependencies explicitly, resolve them reproducibly, and isolate environments so projects don't interfere.

## Tools by Language

| Language | Recommended | Alternatives |
|---|---|---|
| Python | `uv` | pip, poetry, pipenv |
| JavaScript | `pnpm` | npm, yarn |
| Go | `go mod` | (built-in, no alternative needed) |
| C++ | `conan`, `vcpkg` | cmake FetchContent |

## Python — `uv`

Fast resolver with lock files. Drop-in for pip + venv.

```bash
# create venv and install
uv venv
uv pip install -e ".[dev]"

# add a dependency (updates pyproject.toml + lockfile)
uv add requests

# sync from lock file (reproducible installs)
uv sync
```

`pyproject.toml` is the single source of truth for dependencies and tool config (PEP 517/518).

## JavaScript — `pnpm`

Faster and more disk-efficient than npm; compatible with npm ecosystem.

```bash
pnpm install          # install from lockfile
pnpm add lodash       # add dependency
pnpm dlx create-vite  # run one-off tool
```

## Go — `go mod`

Built into the toolchain; no extra install needed.

```bash
go mod init github.com/you/myproject
go get github.com/some/package@v1.2.3
go mod tidy           # remove unused deps
```

## Key Principles

- Always commit the lock file (`uv.lock`, `pnpm-lock.yaml`, `go.sum`)
- Pin to a specific version in production; use ranges only in libraries
- Separate dev dependencies from runtime dependencies