This policy describes how kube-state-metrics maintainers consume third-party packages.
This policy applies to all kube-state-metrics maintainers and all third-party packages used in the kube-state-metrics project.
kube-state-metrics maintainers must follow these guidelines when consuming third-party packages:
- Only use third-party packages that are necessary for the functionality of kube-state-metrics.
- Use the latest version of all third-party packages whenever possible.
- Avoid using third-party packages that are known to have security vulnerabilities.
- Pin all third-party packages to specific versions in the kube-state-metrics codebase.
- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
When adding a new third-party package to kube-state-metrics, maintainers must follow these steps:
- Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics?
- Research the package. Is it actively maintained? Does it have a good reputation?
- Choose a version of the package. Use the latest version whenever possible.
- Pin the package to the specific version in the kube-state-metrics codebase.
- Update the kube-state-metrics documentation to reflect the new dependency.
This policy is enforced by the kube-state-metrics maintainers.
Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
Exceptions to this policy may be granted by the kube-state-metrics project owners on a case-by-case basis.
This policy was adapted from Kubescape's Environment Dependencies Policy.