This policy describes how Capsule maintainers consume third-party packages.
This policy applies to all Capsule maintainers and all third-party packages used in the Capsule project.
Capsule maintainers must follow these guidelines when consuming third-party packages:
- Only use third-party packages that are necessary for the functionality of Capsule.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the Capsule codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
- Dependencies must pass all automated tests before being merged into the Capsule codebase.
When adding a new third-party package to Capsule, maintainers must follow these steps:
- Evaluate the need for the package. Is it necessary for the functionality of Capsule?
- Research the package. Is it well-maintained? Does it have a good reputation?
- Choose a version of the package. Use the latest version whenever possible.
- Pin the package to the specific version in the Capsule codebase.
- Update the Capsule documentation to reflect the new dependency.
When a third-party package is discontinued, the Capsule maintainers must fensure to replace the package with a suitable alternative.
This policy is enforced by the Capsule maintainers. Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
Exceptions to this policy may be granted by the Capsule project lead on a case-by-case basis.
This policy was adapted from the Kubescape Community