Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add label and CI task to catch and document direct dependency changes #18264

Open
bushrat011899 opened this issue Mar 11, 2025 · 2 comments
Open

Add label and CI task to catch and document direct dependency changes #18264

bushrat011899 opened this issue Mar 11, 2025 · 2 comments
Labels
A-Build-System Related to build systems or continuous integration C-Feature A new feature, making something new possible S-Ready-For-Implementation This issue is ready for an implementation PR. Go for it! X-Blessed Has a large architectural impact or tradeoffs, but the design has been endorsed by decision makers

Comments

@bushrat011899
Copy link
Contributor

What problem does this solve or what need does it fill?

As noted by Cart in #18263, it is currently quite easy to add new direct dependencies to Bevy, which poses a performance, reliability, and security risk to the project and its users.

What solution would you like?

  • Add a new label, M-Deliberate-Dependency-Change, for PRs which intentionally add, remove, or update direct dependencies.
  • Add a CI task which catches and comments on PRs which modify direct dependencies without this label.
  • Update the contributing guide to indicate new dependencies must be highly trustworthy (known actor / high traffic / high visibility / high review)

What alternative(s) have you considered?

Do nothing and continue to be careful.

Additional context

Thread on Discord
@bushrat011899 bushrat011899 added A-Build-System Related to build systems or continuous integration C-Feature A new feature, making something new possible X-Blessed Has a large architectural impact or tradeoffs, but the design has been endorsed by decision makers labels Mar 11, 2025
@alice-i-cecile alice-i-cecile added the S-Ready-For-Implementation This issue is ready for an implementation PR. Go for it! label Mar 11, 2025
@mockersf
Copy link
Member

do we need a new label, or could the existing C-Dependencies be reused?

@bushrat011899
Copy link
Contributor Author

do we need a new label, or could the existing C-Dependencies be reused?

Good point! I think it's reasonable to reuse that label. I can't think of a C-Dependencies PR that wouldn't also use a new M-Deliberate-Dependency-Change label, and vice versa.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Build-System Related to build systems or continuous integration C-Feature A new feature, making something new possible S-Ready-For-Implementation This issue is ready for an implementation PR. Go for it! X-Blessed Has a large architectural impact or tradeoffs, but the design has been endorsed by decision makers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bushrat011899 @alice-i-cecile @mockersf