Dependency management guidelines #2142
gabrocheleau
started this conversation in
General
Replies: 1 comment 4 replies
-
Should |
Beta Was this translation helpful? Give feedback.
4 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In order to make the security of the monorepo more robust, we've discussed establishing a set of good practices that should be followed when updating or installing dependencies.
package.json
and/orpackage-lock
updates should be scoped separately (i.e., separate PR) from unrelated updates. If new packages are installed or updated, the rationale for these modifications should be outlined in the PR.package-lock
, contributors and reviewers should runnpx lockfile-lint --path package-lock.json --allowed-hosts npm --validate-https
. Perhaps this could eventually be added to the CI.npm audit
should be gone through and fixed or if not relevant, they should be documented (i.e. what they are and why they're not a concern in our case). Particular attention should be paid to non-dev dependencies (npm audit —production
).^1.2.3
) and only use fixed versions of packages. Before doing so, a review should be completed for duplicate versions of deps (e.g. trie uses dep [email protected], and dep xxx which depends on [email protected]).Beta Was this translation helpful? Give feedback.
All reactions