This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 42ebb87 Add best practices for installing JS dependencies to code
conventions
42ebb87 is described below
commit 42ebb874d119a6acf0017d6a9846374dcbc7d68e
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Dec 23 15:27:27 2025 +0000
Add best practices for installing JS dependencies to code conventions
---
atr/docs/code-conventions.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/atr/docs/code-conventions.md b/atr/docs/code-conventions.md
index 04e20ea..0a9f6c3 100644
--- a/atr/docs/code-conventions.md
+++ b/atr/docs/code-conventions.md
@@ -277,6 +277,10 @@ Do not use `*` for emphasis or `__` for strong emphasis.
It is often possible to avoid using JavaScript without significant loss of
functionality, but it may require a little more thought. JavaScript is not,
however, something to avoid by rote. User experiences can be significantly
improved with thoughtful application of JavaScript. Therefore, default to not
using JavaScript, but consider how it could be used concisely and with care to
improve UX.
+### Use best practices for installing JavaScript dependencies
+
+Disable lifecycle scripts, separate the process into pinning and building from
pinned versions, ensure that versions are properly pinned (e.g. using
`save-exact` and `save-prefix` in npm), run audits automatically after
installation, and set a package cooldown of 14 days. Manually update in case of
a CVE within the 14 day cooldown period. If possible, run the whole process in
an OCI container with a non-root build user in the container.
+
## Shell
### Use POSIX sh only
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
