Appearance
Frontend Dependency Policy
This document defines the approved supply-chain policy for the Vue frontend in rustchat.
Goals
- keep the direct dependency surface small
- make installs deterministic
- stop untrusted install-time code from running automatically in CI
- make dependency changes visible and reviewable
- support emergency transitive remediation without waiting on upstream
Standard Package Manager
The frontend uses npm as the only supported package manager.
Rules:
frontend/package-lock.jsonis the single lockfile source of truth.frontend/pnpm-lock.yamlandfrontend/yarn.lockare not allowed.- Routine local setup uses
npm ci. - CI and release-oriented builds use
npm ci --ignore-scripts. - Use
npm installornpm uninstallonly when you are intentionally changing dependencies and plan to review the resulting manifest and lockfile diff.
Approved Dependency Categories
Every direct dependency must be justified in frontend/dependency-policy.json under exactly one of these categories:
framework-criticalbuild-tool-criticalsecurity-criticaleditor-format-tooling-criticalimpossible-to-replace-economically
A dependency is not approved merely because it is popular or convenient.
Adding a Direct Dependency
Before adding a new frontend dependency:
- verify that browser APIs, existing internal utilities, or current packages cannot solve the problem cheaply
- document the dependency in
frontend/dependency-policy.json - choose one approved category
- add a short reason that explains why the package exists
- include the dependency change in PR notes
Frontend dependency PRs must include:
- the problem being solved
- why existing code or platform APIs were insufficient
- the chosen category and rationale
- whether the package introduces lifecycle scripts, native code, browser binaries, or external network behavior
Removing a Dependency
Dependency removal is preferred whenever a package becomes:
- unused
- replaceable with existing platform APIs
- duplicated by another dependency already in the repo
- obsolete after a refactor
When removing a dependency:
- delete its source usage
- remove it from
frontend/package.json - update
frontend/package-lock.json - remove its entry from
frontend/dependency-policy.json
Install Policy
Local development
Use:
bash
cd frontend
npm ciCI and release-oriented builds
Use:
bash
cd frontend
npm ci --ignore-scriptsLifecycle scripts are blocked in CI by default.
If a tool requires additional setup in CI, that setup must happen as an explicit trusted step after dependency installation.
Example:
bash
npx playwright install chromiumDependency Review and Vulnerability Gates
Frontend dependency changes are enforced by:
- GitHub dependency review on pull requests
frontend/scripts/check-dependency-policy.mjsnpm audit --audit-level=high
These checks must stay green before merge.
Overrides: First-Line Transitive Remediation
Use frontend/package.json overrides when a vulnerable transitive dependency can be fixed by forcing a safer version.
Requirements:
- add or update the override in
frontend/package.json - document it in
frontend/dependency-policy.json - explain why it exists
- record how to know when it can be removed
Use overrides first because they are the smallest and least surprising mitigation path.
Patches: Fallback When Overrides Are Not Enough
If an override cannot remediate the issue, use the repo-managed patch workflow.
Artifacts:
- patch files live in
frontend/patches/ - patch metadata lives in
frontend/dependency-patches.json - patches are applied by
frontend/scripts/apply-dependency-patches.mjs
Each patch entry must include:
- package name
- patch file path
- reason
- removal condition
Patch policy:
- patches are emergency or short-lived controls, not permanent forks by default
- each patch must have a clear retirement path
- if upstream publishes a safe fix, remove the patch and prefer a normal versioned dependency update
Install Script Exceptions
Default policy:
- no dependency lifecycle scripts run in CI
- no silent exceptions are allowed
If an exception becomes necessary, document all of the following in the PR and policy metadata:
- why the package is required
- what risk the script introduces
- why it cannot be replaced
- whether it is build-only or runtime-critical
- how CI invokes it explicitly
Update Strategy
Frontend dependency updates are PR-based and reviewable.
Rules:
- Dependabot may open frontend update PRs.
- Major updates must not auto-merge.
- Security updates are reviewed separately from routine feature/tooling upgrades.
- Every dependency update must still pass frontend tests, build, and policy gates.
Dependency Inventory
Frontend CI publishes a machine-readable dependency inventory artifact using npm's resolved dependency tree.
Reviewers should be able to answer:
- what changed
- why the dependency exists
- whether install-time code ran
- whether a transitive dependency is pinned or patched centrally
PR Checklist for Dependency Changes
If your PR changes frontend/package.json or frontend/package-lock.json, make sure it also includes:
- updates to
frontend/dependency-policy.json - override metadata if
overrideschanged - patch metadata if
frontend/dependency-patches.jsonchanged - a short explanation in the PR body
- proof that the frontend dependency checks still pass