From f8d57f9e54012d83396efc12706ee19159e1d069 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Tue, 18 Jun 2024 13:54:26 +0000 Subject: [PATCH] doc: add additional guidance for PRs to deps - add additional guidance based in discussion related to recent PR to dependency and discussion within the security-wg slack channel. Refs: https://github.com/nodejs/security-wg/issues/1329 Signed-off-by: Michael Dawson --- doc/contributing/maintaining/maintaining-dependencies.md | 5 +++++ doc/contributing/pull-requests.md | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/doc/contributing/maintaining/maintaining-dependencies.md b/doc/contributing/maintaining/maintaining-dependencies.md index e21a6409b3c896..e735fe29e5706d 100644 --- a/doc/contributing/maintaining/maintaining-dependencies.md +++ b/doc/contributing/maintaining/maintaining-dependencies.md @@ -144,6 +144,11 @@ the corresponding script in `tools/update-deps`. [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml) takes care of npm update, it is maintained by the npm team. +PRs for manual dependency updates should only be accepted if +the update cannot be generated by the automated tooling, +the reason is clearly documented and either the PR is +reviewed in detail or it is from an existing collaborator. + ## Dependency list ### acorn diff --git a/doc/contributing/pull-requests.md b/doc/contributing/pull-requests.md index 295e9d3695c47e..133c91ee8a7c04 100644 --- a/doc/contributing/pull-requests.md +++ b/doc/contributing/pull-requests.md @@ -525,6 +525,15 @@ to fail on specific platforms or for so-called "flaky" tests to fail ("be red"). It is vital to visually inspect the results of all failed ("red") tests to determine whether the failure was caused by the changes in the pull request. + +### Dependencies + +Ideally pull requests for dependencies should be generated by automation. +Pay special attention to pull requests for dependencies which have not +been automatically generated and follow the guidance in +[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies). + + ## Notes ### Commit squashing