dependency-management.md

Dependency Management Guidelines

This repository uses third-party code from a variety of sources, so we need to be mindful of how these dependencies will affect our consumers. Considerations include:

• General code quality.
• Licensing compatibility.
• Handling of security vulnerabilities.
• The potential for supply-chain compromise.

We're still evolving our policies in this area, but these are the guidelines we've developed so far.

Rust Code

Unlike Firefox, we do not vendor third-party source code directly into the repository. Instead we rely on Cargo.lock and its hash validation to ensure that each build uses an identical copy of all third-party crates. These are the measures we use for ongoing maintence of our existing dependencies:

• Check Cargo.lock into the repository.
• Generate built artifacts using the --locked flag to cargo build, as an additional assurance that the existing Cargo.lock will be respected.
• Regularly run cargo-audit in CI to alert us to security problems in our dependencies.
  • It runs on every PR, and once per hour on the main branch
• Use a home-grown tool to generate a summary of dependency licenses and to check them for compatibility with MPL-2.0.
  • Check these summaries into the repository and have CI alert on unexpected changes, to guard against pulling in new versions of a dependency under a different license.

Adding a new dependency, whether we like it or not, is a big deal - that dependency and everything it brings with it will become part of Firefox-branded products that we ship to end users. We try to balance this responsibility against the many benefits of using existing code, as follows:

• In general, be conservative in adding new third-party dependencies.
  • For trivial functionality, consider just writing it yourself. Remember the cautionary tale of left-pad.
  • Check if we already have a crate in our dependency tree that can provide the needed functionality.
• Prefer crates that have a a high level of due-dilligence already applied, such as:
  • Crates that are already vendored into Firefox.
  • Crates from rust-lang-nursery.
  • Crates that appear to be widely used in the rust community.
• Check that it is clearly licensed and is MPL-2.0 compatible.
• Take the time to investigate the crate's source and ensure it is suitably high-quality.
  • Be especially wary of uses of unsafe, or of code that is unusually resource-intensive to build.
  • Dev dependencies do not require as much scrutiny as dependencies that will ship in consuming applications, but should still be given some thought.
    • There is still the potential for supply-chain compromise with dev dependencies!
• As part of the PR that introduces the new dependency:
  • Regenerate dependency summary files using the regenerate_dependency_summaries.sh.
  • Explicitly describe your consideration of the above points.

Updating to new versions of existing dependencies is a normal part of software development and is not accompanied by any particular ceremony.

Android/Kotlin Code

We currently depend only on the following Kotlin dependencies:

• JNA
• protobuf-gradle-plugin

We currently depend on the following developer dependencies in the Kotlin codebase, but they do not get included in built distribution files:

• detekt
• ktlint

No additional Kotlin dependencies should be added to the project unless absolutely necessary.

iOS/Swift Code

We currently depend only on the following dependencies:

• swift-protobuf
• SwiftKeychainWrapper

No additional Swift dependencies should be added to the project unless absolutely necessary.

Other Code

We currently depend on local builds of the following system dependencies:

• NSS and NSPR
• SQLCipher
• Protobuf

No additional system dependencies should be added to the project unless absolutely necessary.