Review feedback.

Signed-off-by: Harvey Tuch <htuch@google.com>

DEPENDENCY_POLICY.md

@@ -4,6 +4,11 @@ Envoy has an evolving policy on external dependencies, tracked at
 https://github.com/envoyproxy/envoy/issues/10471. This will become stricter over time, below we
 detail the policy as it currently applies.
 
+## External dependencies dashboard
+
+The list of external dependencies in Envoy with their current version is available at
+https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps
+
 ## Declaring external dependencies
 
 In general, all external dependencies for the Envoy proxy binary build and test should be declared
@@ -33,6 +38,8 @@ Dependency declarations must:
   and `urls` to reference the version. If you need to reference version `X.Y.Z` as `X_Y_Z`, this
   may appear in a string as `{underscore_version}`, similarly for `X-Y-Z` you can use
   `{dash_version}`.
+* Versions should prefer release versions over master branch GitHub SHA tarballs. A comment is
+  necessary if the latter is used.
 * Provide accurate entries for `use_category`. Please think carefully about whether there are data
   or control plane implications of the dependency.
 * CPEs are compulsory for all dependencies that are not purely build/test.
@@ -55,8 +62,8 @@ Pure developer tooling and documentation builds may reference Python via standal
 ## New external dependencies
 
 * Any new dependency on the Envoy data or control plane that impacts Envoy core (i.e. is not
-  specific to a single non-core extension) must be cleared with the OSS Envoy security team, please
-  file an issue and tag
+  specific to a single non-core extension) must be cleared with the Envoy security team, please file
+  an issue and tag
   [@envoyproxy/security-team](https://github.com/orgs/envoyproxy/teams/security-team). While policy
   is still [evolving](robust_to_untrusted_downstream_and_upstream), criteria that will be used in
   evaluation include:
@@ -82,6 +89,9 @@ basis:
 
 * Extension [CODEOWNERS](CODEOWNERS) should update extension specific dependencies.
 
+Where possible, we prefer the latest release version for external dependencies, rather than master
+branch GitHub SHA tarballs.
+
 ## Policy exceptions
 
 The following dependencies are exempt from the policy:

tools/protodoc/requirements.txt

@@ -1,12 +1 @@
-PyYAML==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a
+PyYAML==5.3.1