expr icon indicating copy to clipboard operation
expr copied to clipboard
verified publisher icon expr-lang

EOL for pmezard/go-difflib dependency

Open anurag-deshpande opened this issue 1 year ago • 1 comments

[Problem Description] We are consuming github.com/expr-lang/expr v1.15.7, which is latest as of date. This package is scanned for security vulnerabilities and EOLs by blackduck scanner at our source.

The blackduck scanner has identified a Project EOL component, pmezard-go-difflib20190219-snapshot-5d4384ee , which is a transitive dependency of github.com/expr-lang/expr v1.15.7. This project is not maintained and thus EOLed much earlier.

[Request] We wish to consume all the dependencies which are non-EOLed, to maintain good coding practices. Can this EOLed component be updated by expr contributors or replaced with some alternative with similar functionality, to reduce the EOL risk?

Let me know if any more information is needed for this issue.

anurag-deshpande avatar Apr 02 '24 09:04 anurag-deshpande

Expr uses testify (tests only), and testify uses go-difflib.

Upstream issue: https://github.com/stretchr/testify/issues/1327

Will see what I can do about it.

antonmedv avatar Apr 02 '24 11:04 antonmedv

Upstream issue is stale. Will vendor testify.

antonmedv avatar May 07 '24 21:05 antonmedv