This document outlines the standards and best practices for managing dependencies across all Bayat projects.
- Always specify exact versions of dependencies to ensure reproducible builds
- Regularly audit and update dependencies for security vulnerabilities
- Document the purpose of each dependency in the project documentation
- Minimize the number of dependencies to reduce complexity and potential security issues
- Consider the license of each dependency before including it in a project
- Use npm or yarn with lockfiles (package-lock.json or yarn.lock)
- Specify exact versions in package.json (
"package": "1.2.3"instead of"package": "^1.2.3") - Group dependencies logically (dev dependencies, runtime dependencies, etc.)
- Use pip with requirements.txt or Poetry
- Pin specific versions in requirements.txt (
package==1.2.3) - Include hashes for added security
- Use NuGet packages with specified versions in .csproj files
- Consider using PackageReference instead of packages.config
- Use a centralized Directory.Packages.props file for version management in larger solutions
- Activity level of the project (recent commits, issues, PRs)
- Size and engagement of the community
- Documentation quality
- Test coverage
- License compatibility
- Security history
- Performance impact
- Maintenance burden
- Identify need for external dependency
- Research available options
- Evaluate against criteria
- Document justification
- Get approval from team lead
- Include in project with proper versioning
For monorepo projects:
- Use workspace features of package managers where available
- Maintain consistent versions across all packages
- Document internal dependencies clearly
- Security updates: Immediate
- Major versions: Quarterly review
- Minor versions: Monthly review
- Patch versions: Bi-weekly review
- Review release notes for breaking changes
- Update in development environment
- Run automated tests
- Perform manual testing if needed
- Document changes in project changelog
- Create a dedicated PR for the update
- Enable automated security scanning in CI/CD pipeline
- Subscribe to security advisories for critical dependencies
- Document the remediation process for vulnerable dependencies
- Maintain a dependency inventory for each project
- Prefer internal packages for shared functionality
- Document and version internal packages following the same standards
- Use private registries for internal packages
- Use npm audit, Poetry audit, or equivalent tools regularly
- Integrate auditing into CI/CD pipeline
- Generate dependency reports for compliance and security reviews
| Version | Date | Description |
|---|---|---|
| 1.0 | 2025-03-20 | Initial version |