There are four kinds of salt in my kitchen drawer, and they are not interchangeable.
Maldon flaky sea salt for finishing steak. Cooking salt in a big jar by the stove, cheap and honest, for seasoning as I go and for brines. Oak smoked salt in a tin my mother-in-law gave me, so intensely flavoured I use it by the pinch on things off the grill. And a grinder of powdered salt I crush from cooking salt with a mortar and pestle, because powdered salt disperses evenly over popcorn without forming the salty pockets that spoil a bowl halfway through.
None of these is a substitute for any of the others. A pinch of oak smoked where cooking salt is called for would be overwhelming. A teaspoon of Maldon where fine salt is called for would leave most of the food unseasoned and some of it disagreeably gritty. They are tools. Each does one thing well and refuses to do the other things at all.
This post is about salt. Most of it is about dependencies, and about the discipline of knowing what you’re putting into the dish before you put it in.
Not all salts are the same kind of salty
A teaspoon of one salt is not a teaspoon of another. Morton’s table salt is dense and finely crystalline – a teaspoon weighs about six grams. Diamond Crystal kosher salt is the same compound, but its crystals are hollow and flaky, and a teaspoon weighs about three grams. A recipe written for Morton’s and executed with Diamond Crystal will be under-seasoned. The reverse will be inedibly salty. Same chemical, same teaspoon, half the delivered dose.
Flaky finishing salts like Maldon are designed to sit on top of the food as a textural element, not to dissolve into it. Grinding Maldon into a braise is a waste; sprinkling it on a finished steak is exactly right. Smoked salts carry flavours as well as sodium and must be used sparingly. Fine salts for brining need to dissolve completely and can’t contain anti-caking agents that cloud the brine.
What you actually want, at every point in every dish, is the right form of salt for this moment. Grabbing the nearest box because it says “salt” on the side is a mistake that shows up later, in the taste of the thing you served to people who trusted you with their dinner.
Most “salts” are not food
Most of the compounds called “salts” are not edible. “Salt” is a chemistry term, not a culinary one – any compound formed when an acid reacts with a base. Sodium chloride is one. There are thousands of others.
Epsom salt is magnesium sulfate. It is a laxative. Lead acetate is a salt; the Romans used it to sweeten wine and it probably poisoned a fair chunk of the aristocracy. Potassium nitrate is a salt, used in gunpowder and in curing bacon, and which application you have in mind very much matters.
The word “salt” doesn’t tell you whether the thing is safe to put in food. You have to know which salt you’re looking at, and in what quantity.
The parallel to software is exact. A package on npm called fast-json-parser could be a perfectly fine JSON parser, or a package published last week that quietly exfiltrates environment variables while also, technically, parsing JSON. The name tells you nothing. “It is, technically, a JSON parser” is the software equivalent of “it is, technically, a salt.”
The cake contest
There is an old story, probably apocryphal, about a baking contest in which one contestant sabotaged another by swapping the labels on two unmarked jars in the victim’s pantry the night before the final. The victim reached for the jar they thought was sugar and measured out a cup of salt. The cake was inedible. They lost.
The attack was not on the salt. The salt was fine. The attack was on the assumption that the label on the jar reflected the contents of the jar.
Software supply chain attacks work the same way. They are attacks on the assumption that the package name on npm, or PyPI, matches what’s inside. Someone takes over an abandoned package. Registers a name one letter away from a popular one. Pushes a malicious version to a legitimate project. By the time anyone notices, the poisoned version has been installed by a hundred thousand npm install commands, each one issued by an engineer who trusted that the label matched the jar.
Software Bills of Materials – SBoMs – are, in essence, the practice of writing on every jar exactly what’s in it, when it arrived, and where it came from. Boring paperwork. Tedious to maintain. Exactly the kind of thing an engineer who is moving fast will skip, and then one morning will discover they needed.
Taste before you use
The single most important discipline in a kitchen is tasting the dish at every stage, and seasoning in response to what you taste – not in response to what the recipe said to do.
Recipes are approximations. The tomatoes were different tomatoes. The stock had different baseline salt. The cheese you’re melting contains sodium the recipe writer didn’t know about. So you taste. When the onions are sweating. When the liquid goes in. Halfway through the braise. Right before you plate. Each time you add a little if it needs it, and nothing if it doesn’t. You are adjusting based on current state, not on a timer and a hope.
Engineers should do exactly the same with dependencies. Read the README. Skim the entry point. Look at the issue tracker. Check the release cadence. Run the tests locally. Try it against your actual use case before you commit to it. Taste the dish.
The engineer who runs npm install against the first Google result is the cook who empties the first jar they grab into the pot without tasting. Sometimes this works. Often it produces something under-seasoned. Every so often – and this is the one that keeps me awake – it produces something that tastes fine at first and is slowly poisoning everyone who eats it.
The drawer has four salts for a reason
My drawer has four salts because each does something the others can’t. Learning which is which, and how much, and when, is the patient unglamorous work of becoming someone who can cook.
Your codebase’s package.json should have the same relationship with its dependencies. Each one chosen for a specific reason you remember. Each one tasted before it was committed. Each one revisited periodically to see whether the reason still holds. None grabbed at random because the name on the jar sounded about right.
Taste. Decide. Add. Taste again. Adjust. That’s the discipline. Everything else is built on top of it.