Update contribution guidelines to include policy on new dependencies

[JTonda]

From @dogboydog on May 21, 2018 15:39

Dependencies can't be added to brightside without submitting TPSRs, and we don't use ~, ^, etc. for versions in package.json, preferring absolute versions. We should document these things in our CONTRIBUTING.md

Copied from original issue: gizafoundation/brightside#93

[JTonda]

From @AHumanFromCA on May 21, 2018 15:42

We should also start using package-lock.json so that dependencies of our dependencies don't update either and cause problems. (This has bitten Steel Masters in the past)

[JTonda]

From @dogboydog on May 21, 2018 15:42

Sure if that makes things work better

[JTonda]

From @AHumanFromCA on May 21, 2018 15:46

It appears as though we should be using shrinkwrap.json

From npm's doc:

npm-shrinkwrap.json is a file created by npm-shrinkwrap. It is identical to package-lock.json, with one major caveat: Unlike package-lock.json, npm-shrinkwrap.json may be included when publishing a package.

The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs or devDependencies. It's strongly discouraged for library authors to publish this file, since that would prevent end users from having control over transitive dependency updates.

[MarkAckert]

Update: while the context has changed surrounding this issues origin has changed, the stated goal is still valuable: publicly document recommended (or required) version guidelines for dependencies used within the project, and expectations for any new dependencies added.

[github-actions]

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 5 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.