best-practices

Allowed and Banned Dependencies in AI Engineering From Scratch: Language-Specific Guide

June 5, 2026 rohitg00/ai-engineering-from-scratch ↗

The AI Engineering From Scratch curriculum enforces a strict stdlib-first policy where each language maintains an explicit allow-list of third-party packages; any dependency not listed in AGENTS.md is banned and must be omitted with an explanatory comment.

The rohitg00/ai-engineering-from-scratch repository implements rigorous dependency constraints to ensure educational clarity and portability. All lesson code must adhere to the allowed and banned dependencies defined in the AGENTS.md file, which mandates a stdlib-first approach across Python, TypeScript, Rust, and Julia implementations.

The Stdlib-First Policy and AGENTS.md

The governing rules for allowed and banned dependencies are codified in AGENTS.md at the repository root. This file establishes that lesson implementations should minimize external dependencies to reduce cognitive load and dependency fragility. If a required package falls outside the explicit allow-list, contributors must skip the import and add a comment explaining the stdlib-first decision.

Allowed Dependencies by Language

Each supported language maintains specific permitted packages alongside its standard library. The following sections detail the exact allow-lists enforced in the codebase.

Python Dependencies

Python lessons may import from the standard library plus five specific scientific-computing packages. According to AGENTS.md, the allowed third-party libraries are:

numpy
torch
h5py
zstandard
safetensors

All other packages—including common data science tools like pandas, scikit-learn, or requests—are strictly prohibited.

Example using an allowed library:

import numpy as np  # ✅ allowed

def l2_norm(v):
    return np.sqrt(np.sum(v ** 2))

print(l2_norm(np.array([3, 4])))   # → 5.0

Example of a banned import:


# import pandas as pd   # ❌ banned – staying stdlib-first for educational clarity.

TypeScript Dependencies

TypeScript lessons target Node.js 20+ and permit only four specific npm packages beyond the standard library:

hono (lightweight web framework)
zod (validation)
ws (WebSockets only)
@hono/node-server

Packages like express, lodash, or axios are banned.

Example using allowed packages:

import { Hono } from 'hono';               // ✅ allowed
import { z } from 'zod';                  // ✅ allowed

const app = new Hono();

const querySchema = z.object({ name: z.string() });

app.get('/greet', (c) => {
  const result = querySchema.safeParse(c.req.query());
  if (!result.success) return c.text('Invalid query', 400);
  return c.text(`Hello, ${result.data.name}!`);
});

export default app;

Example of a banned import:

// import express from 'express';   // ❌ banned – staying stdlib-first for educational clarity.

Rust Dependencies

Rust implementations must compile as single-file programs using rustc --edition 2021 with no external crates. The curriculum permits only the Rust standard library. Lessons cannot include Cargo.toml dependencies or external crate imports.

Example stdlib-only implementation:

// ✅ No external crates; only stdlib is used.
fn fibonacci(n: u32) -> u64 {
    match n {
        0 => 0,
        1 => 1,
        _ => fibonacci(n - 1) + fibonacci(n - 2),
    }
}

fn main() {
    println!("fib(10) = {}", fibonacci(10));
}

Julia Dependencies

Julia lessons are restricted to modules included in the standard library:

Random
Statistics
LinearAlgebra
Printf

External packages such as DataFrames.jl or Flux.jl are banned.

Example using allowed stdlib modules:

using Random   # ✅ allowed (stdlib)

function random_vector(dim::Int)
    return randn(dim)
end

println(random_vector(5))

Example of a banned import:


# using DataFrames   # ❌ banned – staying stdlib-first for educational clarity.

Handling Banned Dependencies

When lesson logic might typically require a banned package, the contribution guidelines require explicit documentation. Instead of importing the prohibited dependency, developers must comment out the import and explain the stdlib-first constraint.

The standard comment format is:


# stdlib-first: pandas is banned – staying stdlib-first for educational clarity.

This pattern appears in LESSON_TEMPLATE.md and example code throughout the repository to maintain transparency about pedagogical constraints.

Key Files Governing Dependency Rules

Understanding the dependency structure requires examining several canonical files:

AGENTS.md: Defines the Dependencies table and stdlib-first mandate.
LESSON_TEMPLATE.md: Provides scaffolding ensuring new lessons adhere to import restrictions.
phases/*/code/main.<ext>: Reference implementations demonstrating valid dependency usage (e.g., phases/01-foundations/01-hello-world/code/main.py).

Summary

The repository enforces a strict stdlib-first policy across all lesson code in rohitg00/ai-engineering-from-scratch.
AGENTS.md serves as the canonical source for allowed and banned dependencies.
Python permits five specific libraries: numpy, torch, h5py, zstandard, and safetensors.
TypeScript allows hono, zod, ws, and @hono/node-server only.
Rust and Julia implementations must use standard library features exclusively.
Banned imports require commented explanations citing the stdlib-first policy.

Frequently Asked Questions

Where are the dependency rules documented in the repository?

The definitive source is the AGENTS.md file in the repository root, specifically the Dependencies table. This document lists the explicit allow-lists for Python, TypeScript, Rust, and Julia, establishing the stdlib-first constraint that classifies all non-listed packages as banned.

Can I use pandas or scikit-learn in Python lessons?

No. While these are common in data science, they are banned under the current policy. Python lessons must rely on the standard library plus only numpy, torch, h5py, zstandard, and safetensors. If you encounter a scenario requiring pandas, you must implement the functionality using allowed libraries or skip the import with an explanatory comment.

Why does the Rust curriculum forbid external crates?

The Rust lessons are designed to compile as single-file programs using rustc --edition 2021 without a Cargo.toml. This constraint ensures maximum portability and focuses instruction on the Rust standard library's capabilities. External crates would introduce build complexity that contradicts the educational goal of understanding core language features.

How should I handle a dependency that is not on the allow-list?

When you need functionality typically provided by a banned package, you must omit the import and add a comment explaining the decision. The standard format is # stdlib-first: [package] is banned – staying stdlib-first for educational clarity. This documents the pedagogical constraint while keeping the code valid according to the repository's dependency rules.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how rohitg00/ai-engineering-from-scratch works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →