Skip to content

Commit 30858ec

Browse files
mhdawsontargos
mhdawson
authored and
targos
committed
doc: add additional guidance for PRs to deps
- add additional guidance based in discussion related to recent PR to dependency and discussion within the security-wg slack channel. Refs: nodejs/security-wg#1329 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #53499 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
1 parent 7716613 commit 30858ec

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

doc/contributing/collaborator-guide.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,11 @@ for the change.
127127

128128
Approval must be from collaborators who are not authors of the change.
129129

130+
Ideally pull requests for dependencies should be generated by automation.
131+
Pay special attention to pull requests for dependencies which have not
132+
been automatically generated and follow the guidance in
133+
[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies).
134+
130135
In some cases, it might be necessary to summon a GitHub team to a pull request
131136
for review by @-mention.
132137
See [Who to CC in the issue tracker](#who-to-cc-in-the-issue-tracker).

doc/contributing/maintaining/maintaining-dependencies.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,17 @@ the corresponding script in `tools/update-deps`.
144144
[npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
145145
takes care of npm update, it is maintained by the npm team.
146146

147+
PRs for manual dependency updates should only be accepted if
148+
the update cannot be generated by the automated tooling,
149+
the reason is clearly documented and either the PR is
150+
reviewed in detail or it is from an existing collaborator.
151+
152+
In general updates to dependencies should only be accepted
153+
if they have already landed in the upstream. The TSC may
154+
grant an exception on a case-by-case basis. This avoids
155+
the project having to float patches for a long time and
156+
ensures that tooling can generate updates automatically.
157+
147158
## Dependency list
148159

149160
### acorn

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy