objx icon indicating copy to clipboard operation
objx copied to clipboard

Published 20 hours ago verified publisher icon stretchr

Circular dependency with testify

Open kaovilai opened this issue 2 years ago • 7 comments

objx requires github.com/stretchr/testify v1.7.1 github.com/stretchr/testify requires objx v0.4.0

Would be cool if it could be avoided. No other reason in particular.

kaovilai avatar Sep 14 '22 15:09 kaovilai

Can you elaborate on why this needs fixing? Did you run into any issues?

hanzei avatar Sep 18 '22 03:09 hanzei

Just a go.sum eyesore that's all.

For some reason golang don't prevent module circular dependency but does at the package level.

kaovilai avatar Sep 18 '22 04:09 kaovilai

It also makes snyk complain about security issues (these issues should be gone from testify 1.8.0): SNYK-GOLANG-GOPKGINYAMLV3-2841557, SNYK-GOLANG-GOPKGINYAMLV3-2952714

gildas avatar Oct 03 '22 14:10 gildas

facing the same problem of @gildas on a Snyk pipeline. But checking out the code, I noticed that the problem was already fixed on master branch, maybe what is missing is generate a new package release.

joaocbarbosa avatar Oct 14 '22 20:10 joaocbarbosa

created a new release

geseq avatar Oct 15 '22 03:10 geseq

thank you so much @geseq.

just a question, the old version of objx still be used by testify 1.8.0, and by that, indirectly, is using a vulnerable version of the yaml.v3 package, as the dependency tree below:

- testify v1.8.0
   - objx v0.4.0
      - testify v1.7.1
         - yaml.v3 v3.0.0

Vulnerability found here: https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml

Is threre any schedule for dependabot to run and update it?

joaocbarbosa avatar Oct 15 '22 15:10 joaocbarbosa

Sorry I have no idea. You’d have to ask this in the testify repo

geseq avatar Oct 15 '22 16:10 geseq

I created this issue in the testify repo: https://github.com/stretchr/testify/issues/1292. We might need to add a new tag for objx (maybe v0.5.1), so as to stop the backwards pointing to older, vulnerable versions.

Currently here in objx, the bump to testify 1.8.1 is after the v0.5.0 tag:

> git log --oneline -3
c0315e5 (HEAD -> master, origin/master, origin/HEAD) Fix a couple typos in the README.md (#128)
40ef69b Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#126)
50a2c06 (tag: v0.5.0) Fix typo in Taskfile (#122)

rohanthewiz avatar Oct 31 '22 20:10 rohanthewiz

I was able to solve this by adding this to my go.mod file:

exclude github.com/stretchr/testify v1.7.1

westy92 avatar Mar 01 '23 04:03 westy92

To the maintainer: would you accept a PR that would drop the use of testify and just use testing? This would fix that dependency circle forever. I'm ready to do the work.

dolmen avatar Jun 13 '23 09:06 dolmen

I found an easier way to help Go break the cycle. See #140. Thanks to @westy92 and @mgibson-r7.

dolmen avatar Jul 04 '23 14:07 dolmen