Dependency Management
Principles
- Prefer standard library when possible
- Minimal dependencies — justify every external package
- Pin versions — use
requirements.txtwith pinned versions for backend;package-lock.jsonfor frontend - Audit regularly — check for vulnerabilities before major releases
Backend (Python) — Core Dependencies
These are in use. Do not replace without a strong reason.
| Package | Version | Purpose |
|---|---|---|
fastapi | latest stable | Web framework + OpenAPI docs |
uvicorn[standard] | latest stable | ASGI server |
sqlalchemy[asyncio] | 2.x | ORM with async support |
asyncpg | latest stable | PostgreSQL async driver |
alembic | latest stable | Database migrations |
pydantic | v2.x | Data validation, settings |
pydantic-settings | latest stable | Config from env vars |
python-jose[cryptography] | latest stable | JWT creation and validation |
passlib[bcrypt] | latest stable | Password hashing |
python-multipart | latest stable | Form data (login endpoint) |
httpx | latest stable | Async HTTP client (lessons service) |
aiofiles | latest stable | Async file I/O |
pylxd | latest stable | LXD API client |
paramiko | latest stable | SSH for container verification |
redis | latest stable | Redis client (session/cache) |
Backend (Python) — Dev Dependencies
| Package | Purpose |
|---|---|
pytest | Test runner |
pytest-asyncio | Async test support |
httpx | Test client for FastAPI (also used in app) |
Frontend (JavaScript) — Core Dependencies
| Package | Purpose |
|---|---|
vue | ^3.x — UI framework |
vue-router | ^4.x — SPA routing |
axios | HTTP client — all API calls via services/api.js |
marked | Markdown → HTML parsing (lesson content) |
dompurify | HTML sanitization (required before v-html) |
xterm | Terminal emulator (WebSocket terminal component) |
@xterm/addon-fit | XTerm resize addon |
chart.js | Analytics/progress charts |
Frontend — Dev Dependencies
| Package | Purpose |
|---|---|
vite | Build tool + dev server |
@vitejs/plugin-vue | Vue SFC support for Vite |
vitest | Test runner (not yet configured) |
@vue/test-utils | Vue component testing (not yet configured) |
Adding New Dependencies
Backend
- Check if stdlib or an approved package already does it
- Evaluate: maintained? stable API? minimal transitive deps?
- Add to
requirements.txtwith pinned version - Document the reason in the PR description
Frontend
- Check if an existing package (axios, marked) already covers it
- Prefer packages with ESM support (works with Vite)
- Add to
package.json, commitpackage-lock.json
Updating Dependencies
- Security patches: update immediately
- Minor/patch updates: batch monthly in a dedicated branch
- Major updates: plan separately, review breaking changes, test thoroughly
- Run
pip list --outdatedandnpm outdatedto check for updates
CI Checks
# Backend
pip install -r requirements.txt
# (no automated audit tool yet — check manually with: pip-audit)
# Frontend
npm ci # Reproducible install from lockfile
npm audit # Check for vulnerabilities