Straw man mozilla-central node_modules policies; comments requested

[For those who have seen earlier iterations of this document, the security =
section now discusses the recent event-stream/flatmap-stream exploit specif=
ically --dmose]

I=E2=80=99ve drafted a set of straw man proposals for getting basic node_mo=
dules support in mozilla-central sooner rather than later. The intent here =
is to make it possible for us to vendor in non-trivial JavaScript tooling f=
or teams/maintainers who want to improve their efficiency.  In this context=
, =E2=80=9Cvendor=E2=80=9D is being used to mean =E2=80=9Creview, land, and=
 maintain 3rd party software packages=E2=80=9D in mozilla-central.

Once it=E2=80=99s clear that we have rough agreement about the linked polic=
ies, I=E2=80=99d like us to [vendor in eslint] (https://bugzilla.mozilla.or=
g/show_bug.cgi?id=3D1491028) so that we can test these policies against som=
ething real as we continue to discuss and iterate on them.

This is NOT an exhaustive analysis of the various pros and cons of all the =
options available for using and handling node_modules.  Whatever gets decid=
ed now, it=E2=80=99s all subject to reconsideration in the future, as we ga=
in more experience with NodeJS and node_modules in mozilla-central.

In order to make it possible to have a high-level overview of the proposals=
, here is a table of contents into the policy doc with links:

High level proposal: we [vendor packages into /node_modules]

Vendoring Concerns/Proposed Policies:

* Proposed policy: node_modules currently for use at build-time only, to ac=
celerate initial implementation. (

* Proposed policy: disallow modules with binary executables in mozilla-cent=
ral except in critical cases to avoid differences between cross-platform bu=
ilds and binary checkins. (

* License compatibility: choose a list similar to that used by `mach vendor=
 rust`, vet with legal, automate (

* Security/trust: landing time reviews, regular automated vulnerability sca=
ns (

* Avoid importing tools with with their build-systems that don=E2=80=99t ex=
pose their build Directed Acyclic Graphs (i.e. the graph of all dependencie=
s from inputs to outputs) (

* How to vendor in -- draft checklist (

Node Engine concerns (

* nodejs/npm version changes & security updates
* ability to build old versions (e.g. old ESR releases), given that node is=
 coming from CI artifacts?
11/29/2018 9:22:54 PM 6513 articles. 0 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 40