Drop outdated/abandoned dependencies #1589

remycx · 2024-04-16T13:43:30Z

Description

https://github.com/pmezard/go-difflib : as quoted, "THIS PACKAGE IS NO LONGER MAINTAINED." ; code hasn't evolved in 9 years.
https://github.com/davecgh/go-spew : hasn't been touched in 6 years.

Removing old & dangerous code would lead to a cleaner codebase.

Proposed solution

Use case

Reduce the dependency on outdated & abandoned repositories, to improve the safety of the library, and the potential supply chain attacks.

dolmen · 2024-04-23T09:48:52Z

Easy to say. But what concrete solution do you suggest? Did you have a look at existing issues?

dolmen · 2024-04-23T12:34:34Z

@remycx Note also that I have proposed #1579 to unlink Testify from gopkg.in/yaml.v3 (which is as unmaintained as the 2 other dependencies mentioned here, and is, in my opinion, a much higher security risk, not for Testify but for the Go ecosystem in general). Your opinion and review of that PR would be welcome.

remycx added the enhancement label Apr 16, 2024

dolmen added dependencies Pull requests that update a dependency file and removed enhancement labels Apr 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Drop outdated/abandoned dependencies #1589

Drop outdated/abandoned dependencies #1589

remycx commented Apr 16, 2024

dolmen commented Apr 23, 2024 •

edited

dolmen commented Apr 23, 2024

Drop outdated/abandoned dependencies #1589

Drop outdated/abandoned dependencies #1589

Comments

remycx commented Apr 16, 2024

Description

Proposed solution

Use case

dolmen commented Apr 23, 2024 • edited

dolmen commented Apr 23, 2024

dolmen commented Apr 23, 2024 •

edited