Additionally, all these dependencies run on the server, thus, making them riskier as they have direct access to customer data if they turn out to be malicious.
So here are the rules:
- Any new dependency needs to be thoroughly reviewed and approved.
- Dependencies must be hard pinned in the requirements file of sentry.
Note: If you need to add a dependency with a URL you will have to place it with a range in Sentry and place the URL in getsentry's requirements. This is because we release sentry as a package in PyPI and it does not accept URLs.
If you have questions about dependencies feel free to reach out to owners-python-build with questions.