gitlab-org--gitlab-foss/doc/development/fe_guide/dependencies.md

---
stage: none
group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Frontend dependencies

We use [yarn@1](https://classic.yarnpkg.com/lang/en/) to manage frontend dependencies.

There are a few exceptions in the GitLab repository, stored in `vendor/assets/`.

## What are production and development dependencies?

These dependencies are defined in two groups within `package.json`, `dependencies` and `devDependencies`.
For our purposes, we consider anything that is required to compile our production assets a "production" dependency.
That is, anything required to run the `webpack` script with `NODE_ENV=production`.
Tools like `eslint`, `jest`, and various plugins and tools used in development are considered `devDependencies`.
This distinction is used by omnibus to determine which dependencies it requires when building GitLab.

Exceptions are made for some tools that we require in the
`compile-production-assets` CI job such as `webpack-bundle-analyzer` to analyze our
production assets post-compile.

## Updating dependencies

We use the [Renovate GitLab Bot](https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot) to
automatically create merge requests for updating dependencies of several projects.
You can find the up-to-date list of projects managed by the renovate bot in the project's README.

Some key dependencies updated using renovate are:

- [`@gitlab/ui`](https://gitlab.com/gitlab-org/gitlab-ui)
- [`@gitlab/svgs`](https://gitlab.com/gitlab-org/gitlab-svgs)
- [`@gitlab/eslint-plugin`](https://gitlab.com/gitlab-org/frontend/eslint-plugin)
- And any other package in the `@gitlab/` scope

We have the goal of updating [_all_ dependencies with renovate](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).

Updating dependencies automatically has several benefits, have a look at this [example MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53613).

- MRs will be created automatically when new versions are released
- MRs can easily be rebased and updated with just checking a checkbox in the MR description
- MRs contain changelog summaries and links to compare the different package versions
- MRs can be assigned to people directly responsible for the dependencies

### Community contributions updating dependencies

It is okay to reject Community Contributions that solely bump dependencies.
Simple dependency updates are better done automatically for the reasons provided above.
If a community contribution needs to be rebased, runs into conflicts, or goes stale, the effort required
to instruct the contributor to correct it often outweighs the benefits.

If a dependency update is accompanied with significant migration efforts, due to major version updates,
a community contribution is acceptable.

Here is a message you can use to explain to community contributors as to why we reject simple updates:

```markdown
Hello CONTRIBUTOR!

Thank you very much for this contribution. It seems like you are doing a "simple" dependency update.

If a dependency update is as simple as increasing the version number, we'd like a Bot to do this to save you and ourselves some time.

This has certain benefits as outlined in our <a href="https://docs.gitlab.com/ee/development/fe_guide/dependencies.html#updating-dependencies">Frontend development guidelines</a>.

You might find that we do not currently update DEPENDENCY automatically, but we are planning to do so in [the near future](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).

Thank you for understanding, I will close this Merge Request.
/close
```

### Blocked dependencies

We discourage installing some dependencies in [GitLab repository](https://gitlab.com/gitlab-org/gitlab) because they can create conflicts in the dependency tree.
Blocked dependencies are declared in the `blockDependencies` property of the GitLab [`package.json`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/package.json).

## Dependency notes

### BootstrapVue

[BootstrapVue](https://bootstrap-vue.org/) is a component library built with Vue.js and Bootstrap.
We wrap BootstrapVue components in [GitLab UI](https://gitlab.com/gitlab-org/gitlab-ui/) with the
purpose of applying visual styles and usage guidelines specified in the
[Pajamas Design System](https://design.gitlab.com/). For this reason, we recommend not installing
BootstrapVue directly in the GitLab repository. Instead create a wrapper of the BootstrapVue
component you want to use in GitLab UI first.
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00			`---`
			`stage: none`
			`group: unassigned`
Add latest changes from gitlab-org/gitlab@master 2020-11-26 01:09:20 -05:00			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00			`---`

Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00			`# Frontend dependencies`

Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`We use [yarn@1](https://classic.yarnpkg.com/lang/en/) to manage frontend dependencies.`
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			There are a few exceptions in the GitLab repository, stored in `vendor/assets/`.
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`## What are production and development dependencies?`

			These dependencies are defined in two groups within `package.json`, `dependencies` and `devDependencies`.
			`For our purposes, we consider anything that is required to compile our production assets a "production" dependency.`
			That is, anything required to run the `webpack` script with `NODE_ENV=production`.
			Tools like `eslint`, `jest`, and various plugins and tools used in development are considered `devDependencies`.
			`This distinction is used by omnibus to determine which dependencies it requires when building GitLab.`
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`Exceptions are made for some tools that we require in the`
			`compile-production-assets` CI job such as `webpack-bundle-analyzer` to analyze our
Add latest changes from gitlab-org/gitlab@master 2021-03-08 10:08:54 -05:00			`production assets post-compile.`
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00
			`## Updating dependencies`
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
			`We use the [Renovate GitLab Bot](https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot) to`
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`automatically create merge requests for updating dependencies of several projects.`
Add latest changes from gitlab-org/gitlab@master 2021-03-17 11:09:03 -04:00			`You can find the up-to-date list of projects managed by the renovate bot in the project's README.`
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00
			`Some key dependencies updated using renovate are:`
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-09-22 11:09:37 -04:00			- [`@gitlab/ui`](https://gitlab.com/gitlab-org/gitlab-ui)
			- [`@gitlab/svgs`](https://gitlab.com/gitlab-org/gitlab-svgs)
			- [`@gitlab/eslint-plugin`](https://gitlab.com/gitlab-org/frontend/eslint-plugin)
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			- And any other package in the `@gitlab/` scope

			`We have the goal of updating [_all_ dependencies with renovate](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).`

			`Updating dependencies automatically has several benefits, have a look at this [example MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53613).`

			`- MRs will be created automatically when new versions are released`
			`- MRs can easily be rebased and updated with just checking a checkbox in the MR description`
			`- MRs contain changelog summaries and links to compare the different package versions`
			`- MRs can be assigned to people directly responsible for the dependencies`

			`### Community contributions updating dependencies`

			`It is okay to reject Community Contributions that solely bump dependencies.`
			`Simple dependency updates are better done automatically for the reasons provided above.`
			`If a community contribution needs to be rebased, runs into conflicts, or goes stale, the effort required`
			`to instruct the contributor to correct it often outweighs the benefits.`

			`If a dependency update is accompanied with significant migration efforts, due to major version updates,`
			`a community contribution is acceptable.`

			`Here is a message you can use to explain to community contributors as to why we reject simple updates:`

			```markdown
			`Hello CONTRIBUTOR!`

			`Thank you very much for this contribution. It seems like you are doing a "simple" dependency update.`

			`If a dependency update is as simple as increasing the version number, we'd like a Bot to do this to save you and ourselves some time.`

			`This has certain benefits as outlined in our <a href="https://docs.gitlab.com/ee/development/fe_guide/dependencies.html#updating-dependencies">Frontend development guidelines</a>.`

			`You might find that we do not currently update DEPENDENCY automatically, but we are planning to do so in [the near future](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21).`

			`Thank you for understanding, I will close this Merge Request.`
			`/close`
			```
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
			`### Blocked dependencies`

Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`We discourage installing some dependencies in [GitLab repository](https://gitlab.com/gitlab-org/gitlab) because they can create conflicts in the dependency tree.`
			Blocked dependencies are declared in the `blockDependencies` property of the GitLab [`package.json`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/package.json).
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00
			`## Dependency notes`

			`### BootstrapVue`

Add latest changes from gitlab-org/gitlab@master 2020-06-04 17:08:11 -04:00			`[BootstrapVue](https://bootstrap-vue.org/) is a component library built with Vue.js and Bootstrap.`
Add latest changes from gitlab-org/gitlab@master 2020-03-02 10:08:01 -05:00			`We wrap BootstrapVue components in [GitLab UI](https://gitlab.com/gitlab-org/gitlab-ui/) with the`
			`purpose of applying visual styles and usage guidelines specified in the`
			`[Pajamas Design System](https://design.gitlab.com/). For this reason, we recommend not installing`
			`BootstrapVue directly in the GitLab repository. Instead create a wrapper of the BootstrapVue`
			`component you want to use in GitLab UI first.`