Dependency Management¶
KiCad MCP Pro uses reviewable dependency declarations, lockfiles, audit jobs, and pinned release infrastructure to reduce supply-chain risk.
Dependency sources¶
| Ecosystem | Primary files | Policy |
|---|---|---|
| Python | pyproject.toml, uv.lock |
Use uv lockfiles and review dependency updates through pull requests. |
| Node / npm / pnpm | package.json, pnpm-lock.yaml, package-level lockfiles |
Use lockfiles and Corepack-managed package managers. |
| Docker | Dockerfile |
Pin base images by digest and avoid unpinned package-manager bootstrap steps. |
| GitHub Actions | .github/workflows/*.yml |
Pin third-party Actions to full commit SHAs and keep job permissions minimal. |
| Rust / Tauri | Cargo manifests and lockfiles where present | Keep generated lockfiles under version control when used for release artifacts. |
Update process¶
- Open a focused PR for dependency updates.
- Explain the dependency source, package name, version change, and reason.
- Run CI, security checks, tests, and relevant package builds.
- Review changelogs for breaking changes, licensing changes, and known vulnerabilities.
- Regenerate lockfiles and release metadata when required.
- Merge only after required checks pass.
Vulnerability monitoring¶
The repository uses GitHub Dependabot, dependency audit scripts, CodeQL, Gitleaks, Trivy, and Scorecard. Security-sensitive updates should be prioritized according to SECURITY.md.
Vendoring and generated code¶
Vendored code and generated artifacts should be avoided unless there is a clear release or interoperability reason. If unavoidable, document:
- upstream source and version;
- license;
- update procedure;
- verification command;
- reason the dependency cannot be consumed through normal package management.
Release dependency evidence¶
Release workflows should produce SBOMs, checksums, and provenance evidence when supported by the artifact class. See ../security/release-security.md and ../security/release-integrity.md.