Modern projects depend on package managers and isolated environments so dependencies are reproducible.
Examples by ecosystem
- JavaScript —
npm/pnpmwithpackage.json - Python —
pip+venvorpoetry - PHP —
composer - Rust —
cargo - .NET —
dotnet add package
Rules of thumb
- Commit lockfiles (
package-lock.json,composer.lock, …). - Never install global tools unless you understand PATH.
- One virtual environment per project.
Self-check
- Which package manager will your next track use?
- Why should secrets stay out of committed
.envfiles?
Interview prep
- What problem do lockfiles solve?
They pin transitive dependency versions so two installs produce the same tree—reducing “works on my machine.”
- Why are supply-chain attacks a concern for package installs?
Dependencies execute during install/build; compromised packages are a real attack vector—use pinned versions, audits, and trusted registries.