### Problem to solve We don't highlight the introduction of dependencies in Merge Requests. ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. Personas can be found at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ --> * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Further details <!-- Include use cases, benefits, and/or goals (contributes to our vision?) --> Introducing a new dependency in a project is a decision to balance wisely. Not only the new dependency can be incompatible with the project license, but it can also bring its own share of security and performance issues. GitLab also provides [dependency scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html) for vulnerabilities, [license compliance](https://docs.gitlab.com/ee/user/application_security/license_compliance/index.html) for checking licenses, and [guidelines for the development of GitLab itself](https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines). Nevertheless, some users will want to be notified on new dependencies introduction, and we can leverage the same process as the [security gates](https://gitlab.com/gitlab-org/gitlab-ee/issues/9928). This feature was mentioned during our AppSec Office Hours by @estrike. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> If a group with the right name (`Dependency-Check`?) is added as part of the approvers, they will need to approve the Merge Request if at least one dependency is introduced. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> To be defined. ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements If this feature requires changing permissions, this document https://docs.gitlab.com/ee/user/permissions.html must be updated accordingly. --> Todo ### Testing <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ --> Todo ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> - New dependencies can't be added without the approval of the right people. - New dependencies are not false alerts (https://gitlab.com/gitlab-org/gitlab-ee/issues/4913) ### What is the type of buyer? <!-- Which leads to: in which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ~"GitLab Ultimate" ### Links / references /cc @NicoleSchwartz