Consolidate the guides on frontend dependencies

This consolidates the guides we had on frontend dependencies and adds a section about the ability to reject simple dependency updates by community contributors.

Consolidate the guides on frontend dependencies
This consolidates the guides we had on frontend dependencies and adds a section about the ability to reject simple dependency updates by community contributors.
8f1e3a38 · GitLab Bot · 86a5baf4 · 8f1e3a38 · 8f1e3a38 · 8f1e3a38
Commit 8f1e3a38 authored Feb 09, 2021 by GitLab Bot
3 changed files
--- a/doc/development/fe_guide/dependencies.md
+++ b/doc/development/fe_guide/dependencies.md
@@ -6,28 +6,75 @@ info: To determine the technical writer assigned to the Stage/Group associated w

 # Frontend dependencies

-## Package manager
+We use [yarn@1](https://classic.yarnpkg.com/lang/en/) to manage frontend dependencies.

-We use [Yarn](https://yarnpkg.com/) to manage frontend dependencies. There are a few exceptions, stored in `vendor/assets/`.
+There are a few exceptions in the GitLab repository, stored in `vendor/assets/`.

-## Updating dependencies
+## What are production and development dependencies?
+
+These dependencies are defined in two groups within `package.json`, `dependencies` and `devDependencies`.
+For our purposes, we consider anything that is required to compile our production assets a "production" dependency.
+That is, anything required to run the `webpack` script with `NODE_ENV=production`.
+Tools like `eslint`, `jest`, and various plugins and tools used in development are considered `devDependencies`.
+This distinction is used by omnibus to determine which dependencies it requires when building GitLab.

-### Renovate GitLab Bot
+Exceptions are made for some tools that we require in the
+`compile-production-assets` CI job such as `webpack-bundle-analyzer` to analyze our
+production assets post-compile. 
+
+## Updating dependencies

 We use the [Renovate GitLab Bot](https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot) to
-automatically create merge requests for updating dependencies of several projects. You can find the
-up-to-date list of projects managed by the renovate bot in the project’s README. Some key dependencies
-updated using renovate are:
+automatically create merge requests for updating dependencies of several projects.
+You can find the up-to-date list of projects managed by the renovate bot in the project’s README.
+
+Some key dependencies updated using renovate are:

 - [`@gitlab/ui`](https://gitlab.com/gitlab-org/gitlab-ui)
 - [`@gitlab/svgs`](https://gitlab.com/gitlab-org/gitlab-svgs)
 - [`@gitlab/eslint-plugin`](https://gitlab.com/gitlab-org/frontend/eslint-plugin)
+- And any other package in the `@gitlab/` scope
+
+We have the goal of updating [_all_ dependencies with renovate](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).
+
+Updating dependencies automatically has several benefits, have a look at this [example MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53613).
+
+- MRs will be created automatically when new versions are released
+- MRs can easily be rebased and updated with just checking a checkbox in the MR description
+- MRs contain changelog summaries and links to compare the different package versions
+- MRs can be assigned to people directly responsible for the dependencies
+
+### Community contributions updating dependencies
+
+It is okay to reject Community Contributions that solely bump dependencies.
+Simple dependency updates are better done automatically for the reasons provided above.
+If a community contribution needs to be rebased, runs into conflicts, or goes stale, the effort required
+to instruct the contributor to correct it often outweighs the benefits.
+
+If a dependency update is accompanied with significant migration efforts, due to major version updates,
+a community contribution is acceptable.
+
+Here is a message you can use to explain to community contributors as to why we reject simple updates:
+
+```markdown
+Hello CONTRIBUTOR!
+
+Thank you very much for this contribution. It seems like you are doing a "simple" dependency update.
+
+If a dependency update is as simple as increasing the version number, we'd like a Bot to do this to save you and ourselves some time.
+
+This has certain benefits as outlined in our <a href="https://docs.gitlab.com/ee/development/fe_guide/dependencies.html#updating-dependencies">Frontend development guidelines</a>.
+
+You might find that we do not currently update DEPENDENCY automatically, but we are planning to do so in [the near future](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).
+
+Thank you for understanding, I will close this Merge Request.
+/close
+```

 ### Blocked dependencies

-We discourage installing some dependencies in [GitLab repository](https://gitlab.com/gitlab-org/gitlab)
-because they can create conflicts in the dependency tree. Blocked dependencies are declared in the
-`blockDependencies` property of the GitLab [`package.json` file](https://gitlab.com/gitlab-org/gitlab/-/blob/master/package.json).
+We discourage installing some dependencies in [GitLab repository](https://gitlab.com/gitlab-org/gitlab) because they can create conflicts in the dependency tree.
+Blocked dependencies are declared in the `blockDependencies` property of the GitLab [`package.json`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/package.json).

 ## Dependency notes


--- a/doc/development/new_fe_guide/dependencies.md
+++ b/doc/development/new_fe_guide/dependencies.md
 ---
-stage: none
-group: unassigned
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+redirect_to: '../fe_guide/dependencies.md'
 ---

-# Dependencies
+This document was moved to [another location](../fe_guide/dependencies.md).

-## Adding Dependencies
-
-GitLab uses `yarn` to manage dependencies. These dependencies are defined in
-two groups within `package.json`, `dependencies` and `devDependencies`. For
-our purposes, we consider anything that is required to compile our production
-assets a "production" dependency. That is, anything required to run the
-`webpack` script with `NODE_ENV=production`. Tools like `eslint`, `karma`, and
-various plugins and tools used in development are considered `devDependencies`.
-This distinction is used by omnibus to determine which dependencies it requires
-when building GitLab.
-
-Exceptions are made for some tools that we require in the
-`gitlab:assets:compile` CI job such as `webpack-bundle-analyzer` to analyze our
-production assets post-compile.
-
-To add or upgrade a dependency, run:
-
-```shell
-yarn add <your dependency here>
-```
-
-This may introduce duplicate dependencies. To de-duplicate `yarn.lock`, run:
-
-```shell
-node_modules/.bin/yarn-deduplicate --list --strategy fewer yarn.lock && yarn install
-```
-
---
-
-> TODO: Add Dependencies
+<!-- This redirect file can be deleted after <2021-05-14>. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page -->
--- a/doc/development/new_fe_guide/index.md
+++ b/doc/development/new_fe_guide/index.md
@@ -13,10 +13,6 @@ This is a living document, and we welcome contributions, feedback, and suggestio

 Guidance on topics related to development.

-## [Dependencies](dependencies.md)
-
-Learn about all the dependencies that make up our frontend, including some of our own custom built libraries.
-
 ## [Modules](modules/index.md)

 Learn about all the internal JavaScript modules that make up our frontend.