ff icon indicating copy to clipboard operation
ff copied to clipboard
verified publisher icon peterbourgon

Reduce dependency graph by bumping dependencies

Open cbandy opened this issue 4 months ago • 3 comments

Updating these two direct dependencies reduces the number of indirect dependencies to almost zero. The gopkg.in/yaml.v2 module has moved to go.yaml.in/yaml/v2 and is now maintained by the YAML organization on GitHub.

Fixes: #154 See: https://www.github.com/pelletier/go-toml/issues/872 See: https://www.github.com/yaml/go-yaml/discussions/11

cbandy avatar Aug 28 '25 02:08 cbandy 

$ (main) go mod graph | wc -l
23
$ (fewer-deps) go mod graph | wc -l
6

cbandy avatar Aug 28 '25 02:08 cbandy

I'm happy to dig into this but just to be clear "the number of indirect dependencies" is not a number that needs to be optimized for 😇 The ff module and its deps is always imported by something else, those importers will specify transitive dep versions as they require, and it is those end-user go.mods which dictate the ultimate compilation graph, not anything in ff itself.

peterbourgon avatar Aug 28 '25 18:08 peterbourgon

True! I find things like this help with unsophisticated scanners in my day job: licenses, vulnerabilities, and such.

Certainly no urgency from me on this. 👍🏻

cbandy avatar Aug 28 '25 23:08 cbandy