Trim Go dependencies

[awly]

problems

We're sitting on >500 Go module dependencies right now, with >500k lines of code.

Large dependency trees have problems:

• binary size increase (teleport is 67MB)
• risk of vulns (due to outdated dep versions or malicious dep takeover)
• startup time penalty (teleport --help takes 15ms on average, and frequently up to 50ms on my machine), which affects our SSH login timing
• a lot of overlap
• transient module version constraints make updates harder

solutions

To rein this in a bit, I suggest a few steps:

• dedup dependencies like:
  • [x] github.com/google/uuid and github.com/pborman/uuid
  • [ ] github.com/ghodss/yaml and gopkg.in/yaml.v2
• audit forks from github.com/gravitational
  • if upstream fixed the reason we created a fork, switch to upstream
  • if not, send upstream patch
• if we use <50 LOC from a dependency, copy that code in and drop the dependency
• scan through all deps and it's not obvious where teleport uses it (based on name), investigate why it's there
• sort direct dependencies by the number of transient dependencies they pull in, take the top 10 and see if they can be replaced by smaller alternatives