Before you can make informed decisions about dependencies and supply chain, you need to understand what you're actually dealing with. This section covers the foundational concepts that everything else builds on.
What's Here¶
-
Dependencies aren't free. They cost evaluation time, maintenance effort, security surface area, and upgrade cycles.
-
That "quick script" you wrote last month? It's now critical infrastructure. Code written to answer a question becomes code that must be maintained.
-
When AI writes your code, you inherit dependencies you didn't choose, patterns you don't understand, and risks you can't see.
-
Every decision in software involves tradeoffs. Risk as a framework for thinking about what you're accepting.
-
Before you install anything, know what you're getting into. A practical framework for assessing dependencies.
-
Version numbers mean something (sometimes). Lock files ensure reproducibility (when you use them).
-
"Works on my machine" isn't good enough. Containerization, reproducibility, and the fundamentals of build environments.
Key Takeaways¶
If you read nothing else in this section:
-
Dependencies have weight — Every package you add is code you now maintain, security surface you now defend, and complexity you now carry.
-
Scripts become software — That "temporary" notebook will outlive your expectations. Plan accordingly.
-
AI amplifies, not replaces — AI-assisted coding makes you faster at whatever you're doing—including making mistakes. Review AI output like a PR from an untrusted contributor.
-
Risk is unavoidable — There's no zero-risk option. The goal is informed risk, not no risk.
-
Evaluate before you install — Five minutes of assessment can save weeks of pain later.
-
Lock files are not optional — If your builds aren't reproducible, you don't have builds.
-
Understand your environment — If you can't explain what's happening in your build, you don't control it.