---
title: "Adding a Dependency"
url: https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency/
---

# Adding a Dependency

This document uses key words such as "MUST", "SHOULD", and "MAY" as defined in

<!-- -->

[RFC 2119](https://www.ietf.org/rfc/rfc2119.txt) to indicate requirement levels.

Statuscandidate

Version`1.0.0`[(changelog)](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#changelog)

## [Overview](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#overview)

This playbook guides SDK maintainers through the process of adding a new dependency to an SDK repository. It covers justification requirements, health and security evaluation, approval workflows, and integration steps. By following these steps, teams ensure that dependencies are vetted for maintenance health, security posture, license compatibility, and performance impact before integration.

Related resources:

* [Dependency Management Standard](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#dependency-management) — dependency requirements and audit practices
* [SDK Size and Performance Budgets](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#size-performance-budgets) — size and performance tracking requirements
* [Security Practices](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#security-practices) — security requirements for dependencies

***

## [Steps](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#steps)

#### [1. Open an issue first](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#1-open-an-issue-first)

Before writing any code, you **MUST** create an issue that describes what the dependency does and why the functionality cannot be built in-house or is not already covered by an existing dependency.

#### [2. Document in the issue](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#2-document-in-the-issue)

The issue **MUST** include documentation of the following:

* Maintenance health (last release date, number of maintainers, open issue count)
* Security posture (known vulnerabilities, audit history)
* License compatibility
* Size impact on the SDK (see [SDK size and performance budgets](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#size-performance-budgets))

#### [3. Get explicit approval](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#3-get-explicit-approval)

You **MUST** receive explicit approval from the team lead in the issue before writing any code.

#### [4. In the PR](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#4-in-the-pr)

When submitting the pull request, you **MUST**:

* Pin to a version range (not floating `latest`)
* Add to dependency audit tracking
* Note the size/performance impact in the PR description

#### [5. Security review](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#5-security-review)

You **SHOULD** use the [`sentry-skills:security-review`](https://github.com/getsentry/skills#available-skills) skill to evaluate security implications of the new dependency.

#### [6. Reviewer must explicitly acknowledge the new dependency](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#6-reviewer-must-explicitly-acknowledge-the-new-dependency)

The PR reviewer **MUST** explicitly acknowledge the new dependency, not just approve the PR overall. The review comment **MUST** confirm that the dependency was evaluated.

## [Referenced Standards](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#referenced-standards)

* [Dependency Management](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#dependency-management) — requirements for adding and maintaining dependencies
* [SDK Size and Performance Budgets](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#size-performance-budgets) — size and performance budget tracking
* [Security Practices](https://develop.sentry.dev/sdk/getting-started/standards/code-quality.md#security-practices) — security requirements and vulnerability handling

***

## [Changelog](https://develop.sentry.dev/sdk/getting-started/playbooks/development/adding-a-dependency.md#changelog)

| Version | Date       | Summary                              |
| ------- | ---------- | ------------------------------------ |
| `1.0.0` | 2026-02-20 | Initial Adding a Dependency playbook |