Skip to content

Add label and CI task to catch and document direct dependency changes #18264

New issue
New issue
Open
Task
Open
Add label and CI task to catch and document direct dependency changes#18264
Task
Labels
A-Build-SystemRelated to build systems or continuous integrationC-FeatureA new feature, making something new possibleS-Ready-For-ImplementationThis issue is ready for an implementation PR. Go for it!X-BlessedHas a large architectural impact or tradeoffs, but the design has been endorsed by decision makers
@bushrat011899

Description

@bushrat011899
bushrat011899
opened on Mar 11, 2025

What problem does this solve or what need does it fill?

As noted by Cart in #18263, it is currently quite easy to add new direct dependencies to Bevy, which poses a performance, reliability, and security risk to the project and its users.

What solution would you like?

  • Add a new label, M-Deliberate-Dependency-Change, for PRs which intentionally add, remove, or update direct dependencies.
  • Add a CI task which catches and comments on PRs which modify direct dependencies without this label.
  • Update the contributing guide to indicate new dependencies must be highly trustworthy (known actor / high traffic / high visibility / high review)

What alternative(s) have you considered?

Do nothing and continue to be careful.

Additional context

Thread on Discord

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-Build-SystemRelated to build systems or continuous integrationC-FeatureA new feature, making something new possibleS-Ready-For-ImplementationThis issue is ready for an implementation PR. Go for it!X-BlessedHas a large architectural impact or tradeoffs, but the design has been endorsed by decision makers

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions