testify integrate github.com/pmezard/go-difflib

integrate github.com/pmezard/go-difflib

Open obsti8383 opened this issue 2 years ago • 3 comments

Summary

Since go-difflib is unmaintained since quite some time, the required functions have been taken over into a separate testify package.

Motivation

Unmaintained packages might vanish or be taken over by attackers.

Related issues

Closes #1187 Closes #1159 Closes #736

Jun 05 '22 16:06 obsti8383

It's a good idea but would it not be easier to just pin to the latest version in our go.mod file and break on any hash changes (go.sum, we already do that in the CI jobs).

I get the problem of what happens if the package vanishes, would vendoring not be an easier solution then?

Jun 21 '22 10:06 boyan-soubachov

It's a good idea but would it not be easier to just pin to the latest version in our go.mod file and break on any hash changes (go.sum, we already do that in the CI jobs).

go.mod already PINs the version, so that doesn't change anything. Pulling everything into this repo gives the advantage that you don't upgrade to a malicious version by accident.

Main advantage of moving all used code into this repo is that you get rid of concerns by using an unmaintained source code, by maintaining it yourself (see all three issues).

I've also included only the used functions, which makes the code base smaller.

I get the problem of what happens if the package vanishes, would vendoring not be an easier solution then?

As far as I understand vendoring it doesn't bring any advantages here, since command like "go get" will still use the original repository and you don't get rid of the dependency.

Jun 21 '22 18:06 obsti8383

@boyan-soubachov @ernesto-jimenez, could we have a look at this?