runatlantis
Remove old dependencies
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- [x] I'd be willing to implement this feature (contributing guide)
Describe the user story
There are a lot of dependencies that may not be needed. Some dependencies are years old and could be vulnerable. The fewer dependencies, the less risk.
Describe the solution you'd like
It would be good to audit our dependencies and find ones that could be easily replaced or removed. We should use non forks if possible unless there is a good reason to use a fork.
It would also be good to scrutinize new PRs with additional dependencies to ensure we do not unnecessarily increase our exposure. For example, we should never use a dependency that is a fork or archived, possibly abandoned, not widely used, has old dependencies, or open security issues.
List of current dependencies https://github.com/runatlantis/atlantis/network/dependencies
Some old dependencies from a cursory look
Analyzing these will simplify dependent management via renovatebots dashboard https://github.com/runatlantis/atlantis/issues/2818
Direct
archived
- [x] https://github.com/golang/exp
- this whole dependency is for deprecated packages. We should remove it if possible
- resolved by #3085
- [ ] dec 2020 - archived - https://github.com/pkg/errors
- https://github.com/pkg/errors/issues/245
- replace with
errors
archived no longer
- https://github.com/gorilla/mux
- https://github.com/gorilla/mux/issues/659
- https://github.com/gorilla/websocket
old
- [x] https://github.com/petergtz/pegomock
- we use 3.x - 2023
- latest is 4.x - 2023
- https://github.com/runatlantis/atlantis/pull/3515
- https://github.com/runatlantis/atlantis/pull/3534
- [x] https://github.com/uber-go/tally
- we use 3.x
- latest is 4.x
- https://github.com/uber-go/tally/releases/tag/v4.1.7
- upgrading will remove having to upgrade https://github.com/runatlantis/atlantis/pull/2813
- ~jul 2021 - https://github.com/spf13/pflag~
- drop in replacement for go flags
- there isnt really an alternative here
- [x] apr 2020 - we're using 2 versions of the same github package
- github.com/google/go-github/v31/github
- github.com/google/go-github/v48/github
- resolved by https://github.com/runatlantis/atlantis/pull/2839
- [x] feb 2020 - fork - https://github.com/nlopes/slack
- issue https://github.com/runatlantis/atlantis/issues/2667
- slack client
- latest non fork is 2022
- resolved by https://github.com/runatlantis/atlantis/pull/2669
- [x] jan 2019 - https://github.com/mitchellh/go-homedir
- resolved even though it's old, it doesn't use any dependencies so nothing needs to be updated
- [x] 2015 - archived fork - https://github.com/flynn-archive/go-shlex
- dec 2019 - no deps - https://github.com/google/shlex
- resolved by https://github.com/runatlantis/atlantis/pull/2840
For testing
These do not get compiled with Atlantis
- [x] aug 2018 - https://github.com/davecgh/go-spew
- deep pretty printer
- alternate from 2022 https://github.com/kr/pretty
- resolved by #3108
- [x] moby/moby
- resolved by #3106
Indirect
These come from other dependencies and need to be analyzed to find the direct source
https://stackoverflow.com/a/68927825/2965993
- [ ] nov 2021 - https://github.com/benbjohnson/clock
- [ ] mar 2021 - https://github.com/asaskevich/govalidator
- [ ] feb 2021 - https://github.com/apparentlymart/go-textseg
- grapheme cluster unicode text algorithm
- alternative from 2022 https://github.com/rivo/uniseg
- [ ] oct 2020 - https://github.com/agext/levenshtein
- [ ] aug 2020 - https://github.com/dgryski/go-rendezvous
- rendezvous hashing
- [ ] may 2020 - fork - https://github.com/alicebob/gopher-json
- latest non fork is nov 2020
- [ ] jul 2019 - fork - https://github.com/beorn7/perks
- latest non fork is sep 2022
- [ ] jun 2019 - archived - https://github.com/gorilla/css
- a css3 tokenizer
- [ ] mar 2018 - https://github.com/aymerick/douceur
- css parser
- alternative from 2022 https://github.com/napsy/go-css
- [ ] 2014 - fork - https://github.com/bgentry/go-netrc
- netrc parser
- latest non fork is 2016
- alternate from 2022 https://github.com/jdxcode/netrc
Some tools that may be useful
- https://github.com/google/osv-scanner
- https://github.com/resotto/gochk
- https://github.com/loov/goda
- https://pkg.go.dev/github.com/Helcaraxan/gomod
- https://stackoverflow.com/a/68927825/2965993
- https://github.com/google/osv-scanner
Here are all the go.mod code references sorted in ascending order
✗ grep -v indirect go.mod | grep -v ^module | grep github.com | awk '{ print $1 }' | sort | uniq | while read dep; do echo $(grep -r $dep **/*.go | wc -l):$dep; done | sort -n
1:github.com/Masterminds/sprig/v3
1:github.com/agext/levenshtein
1:github.com/alicebob/miniredis/v2
1:github.com/bradleyfalzon/ghinstallation/v2
1:github.com/briandowns/spinner
1:github.com/cactus/go-statsd-client/v5
1:github.com/go-test/deep
1:github.com/golang-jwt/jwt/v5
1:github.com/hashicorp/go-getter/v2
1:github.com/kr/pretty
1:github.com/microcosm-cc/bluemonday
1:github.com/mitchellh/colorstring
1:github.com/redis/go-redis/v9
1:github.com/remeh/sizedwaitgroup
1:github.com/spf13/pflag
1:github.com/warrensbox/terraform-switcher
2:github.com/google/shlex
2:github.com/hashicorp/terraform-config-inspect
2:github.com/mohae/deepcopy
2:github.com/shurcooL/githubv4
2:github.com/urfave/negroni/v3
3:github.com/gorilla/websocket
3:github.com/hashicorp/go-multierror
3:github.com/hashicorp/hcl/v2
3:github.com/moby/patternmatcher
3:github.com/spf13/viper
4:github.com/go-playground/validator/v10
4:github.com/mitchellh/go-homedir
5:github.com/google/uuid
5:github.com/spf13/cobra
6:github.com/slack-go/slack
7:github.com/gorilla/mux
13:github.com/mcdafydd/go-azuredevops
13:github.com/stretchr/testify
14:github.com/xanzy/go-gitlab
16:github.com/go-ozzo/ozzo-validation
23:github.com/uber-go/tally/v4
26:github.com/google/go-github/v53
53:github.com/pkg/errors
60:github.com/hashicorp/go-version
227:github.com/petergtz/pegomock/v3
Describe the drawbacks of your solution
Potential breakage of the app unless proper unit and integration test coverage is there.
Describe alternatives you've considered
None
Shameless plug: as an alternative to https://github.com/pkg/errors, you can switch to drop-in replacement gitlab.com/tozd/go/errors. It fixes many issues, is maintained, and supports modern Go's error patterns (sentinel errors, %w formatting, joined errors, etc.). It also provides some nice utility functions and structured details so that it is easy to extract dynamic data out of errors (instead of trying to get them out of formatted strings). Has improved error formatting and JSON marshaling of errors. It is interoperable with other errors packages and does not require a dependency on itself to extract data (e.g., stack trace) from errors.
@mitar what about just the errors package? How does it compare?
I'm hesitant to push this project to replace an archived dependency for one that's uncommonly used (judging by project stars)
@nitrocode I completely understand. But it is a bit of chicken & egg problem. :-)
I think the questions for you is if you need/want stack traces or not. If you do, then this package provides almost the same API as the standard errors package, but with stack traces (see here for details). Also using this package and in the future (hopefully once stdlib gets stack traces) moving to errors should also be easy as my package provides compatible API. Of course, if you find additional helper functions it provides as well, for common patterns, useful, then you can use them as well.
This is pretty cool. Renovate now shows "abandoned dependencies" and we have a lot. We can use this method going forward instead of doing it manually like I did above.
These dependencies have not received updates for an extended period and may be unmaintained:
- https://github.com/runatlantis/atlantis/issues/2818
- https://docs.renovatebot.com/key-concepts/dashboard/#abandonment-detection