-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependencies: initial external dependency policy. #12952
Conversation
This will apply to all changes to external dependencies in future PRs. Signed-off-by: Harvey Tuch <htuch@google.com>
CC @envoyproxy/maintainers @envoyproxy/security-team |
Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Harvey Tuch <htuch@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome - thanks for putting it together!
We rely on community volunteers to help track the latest versions of dependencies. On a best effort | ||
basis: | ||
|
||
* Core Envoy dependencies will be updated by the Envoy maintainers/security team. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We really only update deps when needed for security reasons correct? Generally if someone wants an upgrade due to some shiny new feature they have done the work and we review. Are you suggesting we change that, or think it's worth clarifying?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we usually update dependencies continuously; @moderation has been responsible for a lot of this, see history at https://github.com/envoyproxy/envoy/commits/master/bazel/repository_locations.bzl.
There has been some high profile upgrades that were not really plausible to do mechanically as they required code changes, e.g. http-parser
, but these are more the exception than rule.
I reckon it's better to try and stick with latest release version. The rationale for this is:
- Many code improvements are made in projects that can impact security that fall below the threshold of CVE.
- Many projects don't have long-term support branches, e.g. if we were talking Linux kernel, maybe it's fine to live on 4.0.x as you know this will have active support for a significant period of time.
- For folks who operate monorepos (cough), other projects force dependencies to be brought forward in time.
The downside is we have more churn and less burn time for a given dependency version.
Signed-off-by: Harvey Tuch <htuch@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for putting this together. One small comment and I would suggest shipping and iterating.
Signed-off-by: Harvey Tuch <htuch@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This will apply to all changes to external dependencies in future PRs.
Signed-off-by: Harvey Tuch htuch@google.com