doc: add additional guidance for PRs to deps

- add additional guidance based in discussion related to recent PR to dependency and discussion within the security-wg slack channel. Refs: nodejs/security-wg#1329 Signed-off-by: Michael Dawson <[email protected]>
mhdawson · Jun 18, 2024 · f8d57f9 · f8d57f9
1 parent 26f2cbd
commit f8d57f9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/doc/contributing/maintaining/maintaining-dependencies.md b/doc/contributing/maintaining/maintaining-dependencies.md
@@ -144,6 +144,11 @@ the corresponding script in `tools/update-deps`.
 [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
 takes care of npm update, it is maintained by the npm team.
 
+PRs for manual dependency updates should only be accepted if
+the update cannot be generated by the automated tooling,
+the reason is clearly documented and either the PR is
+reviewed in detail or it is from an existing collaborator.
+
 ## Dependency list
 
 ### acorn

diff --git a/doc/contributing/pull-requests.md b/doc/contributing/pull-requests.md
@@ -525,6 +525,15 @@ to fail on specific platforms or for so-called "flaky" tests to fail ("be red").
 It is vital to visually inspect the results of all failed ("red") tests to
 determine whether the failure was caused by the changes in the pull request.
 
+
+### Dependencies
+
+Ideally pull requests for dependencies should be generated by automation.
+Pay special attention to pull requests for dependencies which have not
+been automatically generated and follow the guidance in
+[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies).
+
+
 ## Notes
 
 ### Commit squashing