diff --git a/doc/contributing/collaborator-guide.md b/doc/contributing/collaborator-guide.md index 43adfbb8a272ba..4eea65e8c061f4 100644 --- a/doc/contributing/collaborator-guide.md +++ b/doc/contributing/collaborator-guide.md @@ -127,6 +127,11 @@ for the change. Approval must be from collaborators who are not authors of the change. +Ideally pull requests for dependencies should be generated by automation. +Pay special attention to pull requests for dependencies which have not +been automatically generated and follow the guidance in +[Maintaining Dependencies](https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies). + In some cases, it might be necessary to summon a GitHub team to a pull request for review by @-mention. See [Who to CC in the issue tracker](#who-to-cc-in-the-issue-tracker). diff --git a/doc/contributing/maintaining/maintaining-dependencies.md b/doc/contributing/maintaining/maintaining-dependencies.md index e21a6409b3c896..d1bfc7dcaf6755 100644 --- a/doc/contributing/maintaining/maintaining-dependencies.md +++ b/doc/contributing/maintaining/maintaining-dependencies.md @@ -144,6 +144,17 @@ the corresponding script in `tools/update-deps`. [npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml) takes care of npm update, it is maintained by the npm team. +PRs for manual dependency updates should only be accepted if +the update cannot be generated by the automated tooling, +the reason is clearly documented and either the PR is +reviewed in detail or it is from an existing collaborator. + +In general updates to dependencies should only be accepted +if they have already landed in the upstream. The TSC may +grant an exception on a case-by-case basis. This avoids +the project having to float patches for a long time and +ensures that tooling can generate updates automatically. + ## Dependency list ### acorn