Skip to content

Art deco blueprint room with technical drawings

Appendices

Ecosystem-specific guidance and special topics that don't fit neatly into the main chapters.

Same Problems, Different Syntax

Different ecosystems, same problems. I've worked in all of these. The tools change—npm, pip, cargo, go get—but the underlying challenges don't. Lock your dependencies. Scan for vulnerabilities. Know what you're running. The syntax is different; the discipline is the same.

Ecosystem Guides

Different languages and package managers have different conventions, tools, and pitfalls.

  • Node.js/npm

    Lock files, npm audit, provenance and signing, the npm ecosystem's particular challenges.

  • Python

    pip vs. pip-tools vs. Poetry vs. uv, virtual environments, the fragmented packaging landscape.

  • Go

    The module system, vendoring, go.sum verification, Go's distinctive approach.

  • Rust

    Cargo.lock handling, the crates.io trust model, build determinism.

Special Topics

  • AI/ML Supply Chain

    Pre-trained models are dependencies too. Model provenance, dataset licensing, pickle risks, and ML supply chain challenges.

  • For Researchers

    Reproducible research software, working solo, grant-funded sustainability, and academic code challenges.

A Note on Ecosystem Guides

These appendices provide ecosystem-specific detail, but the principles are universal:

  • Lock your dependencies
  • Scan for vulnerabilities
  • Understand what you're installing
  • Update deliberately

The tools differ. The patterns don't.

If your ecosystem isn't covered here, apply the concepts from the main guide and consult your ecosystem's documentation. The fundamentals transfer.