So you got a SharePoint Framework package to deploy in your tenant
You're about to deploy a SharePoint Framework solution package to your tenant. Before you do, have you considered what's inside?
SharePoint Framework primer
SharePoint Framework is the recommended model for extending SharePoint. While SharePoint Framework extensions work currently only in modern sites, client-side web parts built using the SharePoint Framework can be used in both classic and modern sites.
What you should know before deploying a SharePoint Framework solution in your tenant
Because SharePoint Framework solutions have unrestricted access to the information and APIs in your tenant on behalf of the current user, there are some important questions that you should answer, before deploying the solution in your tenant.
What does the solution truly do
Along with the solution package you might have received documentation describing the solution. But have you verified if the documentation is complete and up-to-date and if there have been no last-minute changes to the solution that aren't included in the documentation?
Depending on what the solution does, your organization might have a different way of handling it. Maybe even it doesn't allow certain solutions to be used in specific sites. Just because the documentation says, that the solution does or doesn't do something, it doesn't mean it's true.
Where is the solution hosted
Developers building SharePoint Framework solutions can choose whether they want to include scripts inside the solution package or not. If they do, when you deploy the package to your app catalog, these scripts will be copied to a document library in your tenant. But if they don't, then it means that the scripts are hosted elsewhere and that leads to a number of additional questions.
Who owns the hosting location
Is the server, where the script files are hosted, owned by your organization or is it owned by developers? Is the continuity of this hosting location guaranteed or will you wake up one day to an email saying that one or more web parts are broken?
Under which circumstances could the source code change
SharePoint Framework scripts have unrestricted access to your tenant. This is why you need to be able to ensure their integrity. Under what circumstances could the source code of the deployed files change? Who has access to the files and could the files be changed without an official process? Is this in agreement with your organizational policies?
What is the SLA of the hosting location
If SharePoint Framework solutions are hosted outside of SharePoint, then it's possible that the hosting location doesn't meet the same SLA as SharePoint. This could lead to planned outage of some components on your intranet during the working hours.
Can the solution be deployed globally
Based on the contents of the solution, developers can decide to support tenant-wide deployment or not. When a SharePoint Framework solution supports tenant-wide deployment, it can be deployed to all sites at once. This alleviates you from having to manually deploy the solution to all sites and keeping track of where the solution is deployed. If the solution needs to provision some resources that it needs to function properly, like lists or content types, you might have to deploy it on each site separately.
Does it require access to APIs
When building SharePoint Framework solutions, developers can specify that the solution requires access to resources secured with Azure Active Directory. These resources can be Microsoft APIs, like the Microsoft Graph, or enterprise applications owned by your organization. When deploying a package that requests access to APIs, you will be prompted to visit the SharePoint administration page and either approve or reject these requests. There are two caveats that you should consider.
First of all, just because a solution doesn't request permissions to access any APIs, it doesn't mean it's not using them. Solution's code and the permissions it requests are two separate things not related to each other.
Once you approve a permission requested by a solution, that permission is granted to all scripts in your tenant: both scripts deployed through SharePoint Framework packages as well as all arbitrary scripts that your users might embed on their pages. This is why you should be very careful what APIs you allowed to be used in your tenant.
Is there anyone in the organization who knows this library
What is the SLA of this hosting location
What is the license of this library
Are there any known vulnerabilities
Photo by Bench Accounting on Unsplash