Skip to content

Execution Environment — Package Manager

  1. Create an issue in your GitLab project.
  2. Copy and paste the checklist below into the issue description.
  3. Work through the checklist.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
- [ ] **Choose your package manager(s) per stack.***Decide and record in `README` → “Package Management” (e.g. **Python**: uv/Poetry/pip-tools; **Node**: npm/pnpm/yarn; **JVM**: Gradle/Maven).*

- [ ] **Commit lockfiles for reproducibility.***Ensure the lockfile is in version control (e.g. `poetry.lock`, `uv.lock`, `requirements.txt` + `constraints.txt`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, Gradle/Maven reproducible settings).*

- [ ] **Question:** What versioning policy will you use?  
  → *Define rules (exact pins vs. safe ranges like `~`/`^`; pre-releases allowed or not). Document in `/docs/deps_policy.md`.*

- [ ] **Separate prod vs. dev/test dependencies.***Use groups/extras/scopes (e.g. Poetry/uv groups, npm `devDependencies`, Gradle `testImplementation`). Note how to install only prod deps.*

- [ ] **Document install commands (cross-OS).***Add a short “Install Deps” section to `README` with exact commands for Windows/macOS/Linux and CI.*

- [ ] **Question:** How do you add/update/remove a dependency?  
  → *Write a description in `/docs/deps_policy.md` (who approves, commands to run, how to update lockfile, how to test).*

- [ ] **License compliance.***Define allowed licenses and add a CI or script to list licenses (Node license checker, Python tools, Maven/Gradle plugins). Store results in `/docs/licenses.md`.*

- [ ] **Question:** How will you handle regular updates?  
  → *Schedule a weekly/monthly “dependency bump” issue; use a tool (renovate/dependabot or manual) and define test/rollback steps.*

- [ ] **Pin tool versions used by the manager.***Record manager CLIs (e.g. npm/pnpm/yarn version, Poetry/uv version, Gradle wrapper, Maven) in `README`; commit wrappers where applicable.*

- [ ] **Verify minimal reproducible build.***Create an issue “Fresh Clone Install” where a teammate clones the repo, installs deps from scratch, runs tests, and posts results/screenshots.*

- [ ] **Cleanup & auditing policy.***Periodically remove unused deps (e.g. `npm prune`, `pip uninstall` via audit, Gradle `dependencies` report). Track in a recurring `deps-maintenance` issue.*