dependencies: initial external dependency policy.

[htuch]

This will apply to all changes to external dependencies in future PRs.

Signed-off-by: Harvey Tuch htuch@google.com

[htuch]

CC @envoyproxy/maintainers @envoyproxy/security-team

[alyssawilk]

This is awesome - thanks for putting it together!

[alyssawilk]

We really only update deps when needed for security reasons correct? Generally if someone wants an upgrade due to some shiny new feature they have done the work and we review. Are you suggesting we change that, or think it's worth clarifying?

[htuch]

I think we usually update dependencies continuously; @moderation has been responsible for a lot of this, see history at https://github.com/envoyproxy/envoy/commits/master/bazel/repository_locations.bzl.

There has been some high profile upgrades that were not really plausible to do mechanically as they required code changes, e.g. http-parser, but these are more the exception than rule.

I reckon it's better to try and stick with latest release version. The rationale for this is:

• Many code improvements are made in projects that can impact security that fall below the threshold of CVE.
• Many projects don't have long-term support branches, e.g. if we were talking Linux kernel, maybe it's fine to live on 4.0.x as you know this will have active support for a significant period of time.
• For folks who operate monorepos (cough), other projects force dependencies to be brought forward in time.

The downside is we have more churn and less burn time for a given dependency version.

[mattklein123]

Thanks for putting this together. One small comment and I would suggest shipping and iterating.

[mattklein123]

Thanks!