testify icon indicating copy to clipboard operation
testify copied to clipboard
verified publisher icon stretchr

Drop outdated/abandoned dependencies

Open remycx opened this issue 1 year ago • 2 comments

Description

https://github.com/pmezard/go-difflib : as quoted, "THIS PACKAGE IS NO LONGER MAINTAINED." ; code hasn't evolved in 9 years. https://github.com/davecgh/go-spew : hasn't been touched in 6 years.

Removing old & dangerous code would lead to a cleaner codebase.

Proposed solution

Use case

Reduce the dependency on outdated & abandoned repositories, to improve the safety of the library, and the potential supply chain attacks.

remycx avatar Apr 16 '24 13:04 remycx

Easy to say. But what concrete solution do you suggest? Did you have a look at existing issues?

dolmen avatar Apr 23 '24 09:04 dolmen

@remycx Note also that I have proposed #1579 to unlink Testify from gopkg.in/yaml.v3 (which is as unmaintained as the 2 other dependencies mentioned here, and is, in my opinion, a much higher security risk, not for Testify but for the Go ecosystem in general). Your opinion and review of that PR would be welcome.

dolmen avatar Apr 23 '24 12:04 dolmen

@remycx Dropping abandonned issue.

dolmen avatar May 16 '24 12:05 dolmen

Is https://github.com/google/go-cmp perhaps a viable replacement for https://github.com/pmezard/go-difflib?

pohly avatar Sep 27 '24 15:09 pohly

go-cmp might be overkill. A simple diff implementation for two sequences of a comparable type like strings in https://github.com/stretchr/testify/blob/b074924938f86d417f1c9a845c7e8b0784d7f937/assert/assertions.go#L1883-L1891 isn't hard to write - I'll have a look.

pohly avatar Sep 27 '24 19:09 pohly