We have run into issues with edx specific packages being added as dependencies. The specific example mentioned in the Paragon issue was @edx/brand (as opposed to @edx/brand-openedx)
Ideally this would support both org-wide and repo-specific rules for package allow/block lists.
In order to address this across the entire org, it was decided that adding a workflow to this .github repository (and using repo_checks to ensure it's added to the appropriate repositories) would be the ideal path forward.
Sparked by https://github.com/openedx/paragon/issues/2240
We have run into issues with
edx
specific packages being added as dependencies. The specific example mentioned in the Paragon issue was@edx/brand
(as opposed to@edx/brand-openedx
)Ideally this would support both org-wide and repo-specific rules for package allow/block lists.
In order to address this across the entire org, it was decided that adding a workflow to this
.github
repository (and usingrepo_checks
to ensure it's added to the appropriate repositories) would be the ideal path forward.This has some overlap with https://github.com/openedx/edx-platform/issues/33189 which is probably also worth looking at for detecting python dependencies in the wrong org.