[Policy] Dependency evaluation critera

Created on 4 March 2021, almost 4 years ago
Updated 3 March 2023, almost 2 years ago

When adding a dependency to Drupal core there are several topics to consider before making use of the library. Today this is summed up in the documentation page Core dependency release cycles, security information, and evaluation criteria .

A few examples of what it takes to add a dependency:

Problem/Motivation

There are no difference in the evaluation of runtime, build, and development dependencies. This process is not sustainable for JavaScript:

  1. JS libs tend to be much smaller than PHP libraries, and depend on many, many packages
  2. Because of their size most dependencies don't have release schedule, or a security policy, or anything beside a well-meaning maintainer
  3. Even 'big' projects don't have the founding/structure to provide what we would want from our runtime dependencies (see the rollup issue)

For example the testing suite of the once library brings in 408 node packages #3199444-5: Dependency evaluation theoretically we should go through the dependency evaluation for each one.

Proposed resolution

  1. Introduce a different set of rules for build and development dependencies.
  2. for build/dev: we should have the assumption that when no policy exists we defer to the license. Usually that means: no guarantee.
  3. Rely much more on tooling for build/development dependencies to scan periodically for security issues (like it's been set up for once) to help mitigate point #1 and #2

Remaining tasks

Agree on something :)

📌 Task
Status

Active

Version

10.1

Component
Documentation 

Last updated 1 day ago

No maintainer
Created by

🇫🇷France nod_ Lille

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States effulgentsia

    With respect to security policy, while the security of dev dependencies is less critical than the security of production dependencies, we still don't want a requirement or side-effect of contributing to or maintaining core to be exposing your machine to security vulnerabilities. I have come across GitHub repositories where people report security vulnerabilities as public issues prior to those issues being fixed. Such issues usually don't yet have CVE identifiers, and security audit tools don't necessarily pick them up.

    Because of this, I think it would be ideal for our dev dependencies to at a minimum have a security policy that states to not report security issues as public issues, and to instead contact the maintainer privately. This could be as simple as one or two sentences in a README.

    However, I recognize that we already have some dev dependencies that don't have even that as an explicitly stated policy, and that the JS ecosystem doesn't yet have a culture of having such a policy for every single commonly used package that's out there. So, I'm conflicted on what the best balance between security and practicality would be for us with respect to JS dev/build packages.

  • 🇬🇧United Kingdom catch

    Our current policy tends to be that we document what the security policy is, even if that policy is 'nothing', then based on the specific character of the dependency, nothing might be fine or it might not be.

    However documenting what it is often depends on opening an issue against projects asking them if they don't have one clearly documented, which sometimes results in a nice policy being written up, sometimes results in a 'won't fix'. So I guess the question really comes down to, do we want to make opening that issue a requirement for dev dependencies if there's not otherwise documentation of a security policy.

    A further aspect to this is 'dependencies of dependencies'.

Production build 0.71.5 2024