0020 - BC Break & PHP Abandoned Dependency

PrestaShop / ADR

Architecture Decision Records for the PrestaShop project

11 stars 15 forks source link

Closed Progi1984 closed 1 year ago

Progi1984 commented 1 year ago

Questions	Answers
Description?	New ADR
Type?	improvement

Progi1984 commented 1 year ago

Ping @PrestaShop/committers & @PrestaShop/prestashop-core-developers

eternoendless commented 1 year ago

IMO this should be allowed if and only if these are true:

The package is not a direct dependency (meaning that it's not in our composer.json)
It's not a popular dependency (eg. symfony subcomponents)
There's a known, important security vulnerability that cannot be patched easily in a temporary fork
(if applicable) an alternative package exists

eternoendless commented 1 year ago

BTW it's easier to discuss the subject on an issue, then create the decision record

Progi1984 commented 1 year ago

@eternoendless So what can we do when direct dependency (it's the target of the ADR) is abandonned during a minor version ?

I will give a example : SwiftMailer is not maintained since Nov 2021

BTW it's easier to discuss the subject on an issue, then create the decision record

I follow the process in the README.md

eternoendless commented 1 year ago

what can we do when direct dependency (it's the target of the ADR) is abandonned during a minor version ?

Unfortunately we need to keep it until the next major, unless an important security vulnerability is found and it cannot be patched in a fork.

Progi1984 commented 1 year ago

@eternoendless Thanks for your feedback. I understand it. I will close this ADR.