Third Party Library Usage
TheDevelopment Practices section of theAdd-ons Policies lists the requirements for the use of third-party libraries in add-ons.
In order for reviewers to verify that these requirements are met, you must provide links to the library source code as part of the AMO submission process. If you don't provide information about third-party libraries and the reviewer cannot evaluate your extension, it may be rejected.
If your extension uses minified, obfuscated or otherwise machine-generated first-party code, please seeour requirements for that.
When must links for third-party libraries be provided?
When submitting a version to AMO, links to third-party libraries must be provided. You can add the links to the "Notes for Reviewers" section of your extension's details.
How to determine the third-party library link
You must provide links to the original copies of the files included in your extension and links to the readable source code for those files. For repositories or version controlled files, please specify the link using release tag that you’ve used. Note that non-release versions of third-party libraries are not accepted.
You should download third-party libraries from their official site, not from a CDN or other location. This point is important. Reviewers confirm that your code contains the original library using checksums, so the version in the extension must be identical to the official distribution. Unofficial sources often make small changes to a library’s files, such as whitespace changes, so the checksums don't match.
Example: If you’re using the minified version of mousetrap release 1.4.2 (because you haven’t had the chance to update to the latest version) the following links areincorrect.
https://craig.is/killing/mice—using the main website, which only shows the latest version.https://github.com/ccampbell/mousetrap/blob/master/mousetrap.min.js—using the master branch, which may change anytime.https://craig.global.ssl.fastly.net/js/mousetrap/mousetrap.min.js?71631—using the link to a CDN, which could differ from the source.
Thecorrect link is
https://github.com/ccampbell/mousetrap/blob/1.4.2/mousetrap.min.js
which links to the exact file, using the tag for the version.
Tip: If the library is on GitHub, you can usually find this version under the “releases” link, then click on the small tag icon next to the version number and navigate to the file in the repository.
Use of package managers
Extensions developers can use package managers and package repositories likenpm to retrieve third party libraries.
With a default npm configuration, third party library dependencies are declared in the project'spackage.json file: this qualifies as a third party library link aspreviously described.
Reviewers must be able to retrieve and review all packages used by your extension. Therefore, the use of private packages or non-public registries is permissible but not recommended. If you use non-public dependencies, you must include the relevantnode_modules sub-directories in yoursource code submission.
Communicating third-party library links to the reviewer
You can add the links to the “Notes for Reviewers” section of your extension’s details on AMO.
This section can be found under “Manage Status & Versions” for each version.
If you miss any of the necessary information for used third-party libraries, the reviewer will have to get in touch to request the missing items. This could delay the completion of your extension’s review or, in the worst-case, result in your extension being taken down because we can't confirm it complies with theadd-on policies.
Tags: add-ons extensions review-policy
Contributors: ChrisRoss5 One wesinator
Last update: wesinator
Up Next
Publish
What does review rejection mean to users?
Publish
Signing and distribution overview
Publish