doc: add additional guidance for PRs to deps

- add additional guidance based in discussion related to recent PR to dependency and discussion within the security-wg slack channel. Refs: nodejs/security-wg#1329 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#53499 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Hawthorne001 · Jun 20, 2024 · 53e9106 · 53e9106
1 parent 9e535b6
commit 53e9106
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/doc/contributing/collaborator-guide.md b/doc/contributing/collaborator-guide.md
@@ -127,6 +127,11 @@ for the change.
 
 Approval must be from collaborators who are not authors of the change.
 
+Ideally pull requests for dependencies should be generated by automation.
+Pay special attention to pull requests for dependencies which have not
+been automatically generated and follow the guidance in
+[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies).
+
 In some cases, it might be necessary to summon a GitHub team to a pull request
 for review by @-mention.
 See [Who to CC in the issue tracker](#who-to-cc-in-the-issue-tracker).

diff --git a/doc/contributing/maintaining/maintaining-dependencies.md b/doc/contributing/maintaining/maintaining-dependencies.md
@@ -144,6 +144,17 @@ the corresponding script in `tools/update-deps`.
 [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
 takes care of npm update, it is maintained by the npm team.
 
+PRs for manual dependency updates should only be accepted if
+the update cannot be generated by the automated tooling,
+the reason is clearly documented and either the PR is
+reviewed in detail or it is from an existing collaborator.
+
+In general updates to dependencies should only be accepted
+if they have already landed in the upstream. The TSC may
+grant an exception on a case-by-case basis. This avoids
+the project having to float patches for a long time and
+ensures that tooling can generate updates automatically.
+
 ## Dependency list
 
 ### acorn