From e7f99805e259b91baf0eaa2442291de6c8c033ad Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Tue, 18 Jun 2024 13:54:26 +0000 Subject: [PATCH] doc: add additional guidance for PRs to deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add additional guidance based in discussion related to recent PR to dependency and discussion within the security-wg slack channel. Refs: https://github.com/nodejs/security-wg/issues/1329 Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/53499 Reviewed-By: Rafael Gonzaga Reviewed-By: Chengzhong Wu Reviewed-By: Marco Ippolito Reviewed-By: Michaël Zasso Reviewed-By: Ulises Gascón Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau --- doc/contributing/collaborator-guide.md | 5 +++++ .../maintaining/maintaining-dependencies.md | 11 +++++++++++ 2 files changed, 16 insertions(+) diff --git a/doc/contributing/collaborator-guide.md b/doc/contributing/collaborator-guide.md index 288caa7ff72b8e..256eb6763ee903 100644 --- a/doc/contributing/collaborator-guide.md +++ b/doc/contributing/collaborator-guide.md @@ -127,6 +127,11 @@ for the change. Approval must be from collaborators who are not authors of the change. +Ideally pull requests for dependencies should be generated by automation. +Pay special attention to pull requests for dependencies which have not +been automatically generated and follow the guidance in +[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies). + In some cases, it might be necessary to summon a GitHub team to a pull request for review by @-mention. See [Who to CC in the issue tracker](#who-to-cc-in-the-issue-tracker). diff --git a/doc/contributing/maintaining/maintaining-dependencies.md b/doc/contributing/maintaining/maintaining-dependencies.md index 7529f28a60dd41..bcf1b065e2abe6 100644 --- a/doc/contributing/maintaining/maintaining-dependencies.md +++ b/doc/contributing/maintaining/maintaining-dependencies.md @@ -142,6 +142,17 @@ the corresponding script in `tools/update-deps`. [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml) takes care of npm update, it is maintained by the npm team. +PRs for manual dependency updates should only be accepted if +the update cannot be generated by the automated tooling, +the reason is clearly documented and either the PR is +reviewed in detail or it is from an existing collaborator. + +In general updates to dependencies should only be accepted +if they have already landed in the upstream. The TSC may +grant an exception on a case-by-case basis. This avoids +the project having to float patches for a long time and +ensures that tooling can generate updates automatically. + ## Dependency list ### acorn