Form an opinion on how we want to manage build pipeline deps #3729
Labels
priority/backlog
Issue is approved and in the backlog
stale
unscoped
The issue needs more design or understanding in order for the work to progress
Comments
rturner3
added
priority/backlog
|
This issue is stale because it has been open for 365 days with no activity. |
|
This issue was closed because it has been inactive for 30 days since being marked as stale. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any time we make a change to dependencies in the build pipeline, there is an inevitable conversation on if we want to include the new thing or not, if we should vendor, if we should pin, etc ... it's largely in the name of security, and secondarily in the name of perf and availability. Here is the latest example
We should figure out a philosophy for how we mange build pipeline dependencies. What is the bar for pulling in a new dep? Must new deps come from certain sources or maintainers? Do we review dep bumps? Do we pin them? Etc... we should have some kind of policy on this, and codify it in the contributor guidelines. Doing so will avoid a lot of back-and-forth whenever these changes come in, and also will reduce some contributor heartache.
The text was updated successfully, but these errors were encountered: