Third-party library policy

Configured Commerce supports a standard set of third-party libraries that fulfill common requirements such as SFTP and XML parsing. By standardizing on a finite set of libraries, Optimizely mitigates the risk of binary incompatibility from conflicting libraries and reduces the security risk of unsupported libraries. Packages outside the allowedLibraries.txt allow list should not be referenced or included in any deployments to Configured Commerce.

📘

Note

This policy does not apply to Spire NPM packages included in partner/customer builds; inclusion of Spire 3rd party libraries is at the discretion of the implementer and is unrestricted within Configured Commerce. See Install third-party NPM packages for information.

To meet requirements, periodic additions to this list are expected, and Optimizely welcomes suggestions on what libraries to include. This is the process for requesting a package to be added to the list:

1. Review the allowedLibraries.json file from the insite-commerce-cloud Git repository. Currently, the file is saved to /src/tools/PowerShellScripts.
2. Confirm that the desired package is not in the whitelist and that no other libraries listed there are good substitutes.
3. Submit an enhancement request at https://feedback.optimizely.com/. Under Configured Commerce, there is a section called Third-party Library Allow Listing.

Optimizely evaluates the request based on a few criteria, such as:

• The desired package is important to the success of the project.
• None of the existing allowed packages meet the needed requirements.
• The package appears to have sufficient backing to be maintained and secure going forward.
• The requirement is best met by a third-party library rather than a base code change.

If approved, the change to the whitelist is scheduled for release.

📘

Note

The simplest way to include a new JavaScript (JS) library is to use a CDN, if available. You can include a JS library in the theme, but you must include any dependencies.