Skip to content

Commit

Permalink
doc: add additional guidance for PRs to deps
Browse files Browse the repository at this point in the history
- add additional guidance based in discussion related
  to recent PR to dependency and discussion within the
  security-wg slack channel.

Refs: nodejs/security-wg#1329

Signed-off-by: Michael Dawson <[email protected]>
PR-URL: #53499
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
  • Loading branch information
mhdawson authored and targos committed Jun 21, 2024
1 parent 7716613 commit 30858ec
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
5 changes: 5 additions & 0 deletions doc/contributing/collaborator-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,11 @@ for the change.

Approval must be from collaborators who are not authors of the change.

Ideally pull requests for dependencies should be generated by automation.
Pay special attention to pull requests for dependencies which have not
been automatically generated and follow the guidance in
[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies).

In some cases, it might be necessary to summon a GitHub team to a pull request
for review by @-mention.
See [Who to CC in the issue tracker](#who-to-cc-in-the-issue-tracker).
Expand Down
11 changes: 11 additions & 0 deletions doc/contributing/maintaining/maintaining-dependencies.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,17 @@ the corresponding script in `tools/update-deps`.
[npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
takes care of npm update, it is maintained by the npm team.

PRs for manual dependency updates should only be accepted if
the update cannot be generated by the automated tooling,
the reason is clearly documented and either the PR is
reviewed in detail or it is from an existing collaborator.

In general updates to dependencies should only be accepted
if they have already landed in the upstream. The TSC may
grant an exception on a case-by-case basis. This avoids
the project having to float patches for a long time and
ensures that tooling can generate updates automatically.

## Dependency list

### acorn
Expand Down

0 comments on commit 30858ec

Please sign in to comment.