Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prune unmaintained dependencies #11120

Open
JPZ13 opened this issue May 23, 2023 · 11 comments
Open

Prune unmaintained dependencies #11120

JPZ13 opened this issue May 23, 2023 · 11 comments
Labels
go Pull requests that update Go dependencies type/dependencies PRs and issues specific to updating dependencies type/feature Feature request type/tech-debt

Comments

@JPZ13
Copy link
Member

JPZ13 commented May 23, 2023

Summary

Similar to #11053 that @isubasinghe reported, we have many dependencies in our go.mod file (and I assume more in the package.json) that are no longer being actively maintained. We should start culling these dependencies. It gets us the following advantages:

  • Fewer attack vectors
  • Less code to maintain
  • Easier to modify behavior
  • Less need to maintain forks of dependencies

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

@JPZ13 JPZ13 added the type/feature Feature request label May 23, 2023
@JPZ13
Copy link
Member Author

JPZ13 commented May 23, 2023

Running list of unmaintained go packages in Argo Workflows dependencies:

@ryancurrah
Copy link
Contributor

ryancurrah commented May 26, 2023

For logging, in Go 1.21 there will be a structured logger in the standard library.

Proposal: https://www.reddit.com/r/golang/comments/11sdqia/slog_proposal_accepted_for_go_121.

You can even use it now via golang.org/x/exp/slog.

We implemented a logging interface based off of https://github.com/go-logr/logr. And are able to switch to the new standard library logger without changing downstream modules use of our logging library.

@tidwall
Copy link

tidwall commented Jun 16, 2023

@JPZ13 Just out of curiosity what metric did you use to determine which packages are unmaintained?

@JPZ13
Copy link
Member Author

JPZ13 commented Jun 16, 2023

@tidwall - eyeballed a few and then also used this: https://isitmaintained.com/

gjson was showing up as unmaintained, so I included it. Happy to scratch from the list if it's a false positive

@tidwall
Copy link

tidwall commented Jun 16, 2023

@JPZ13 Thanks for the info. I consider gjson a maintained project.

@tico24
Copy link
Member

tico24 commented Jul 10, 2023

You can find EOL packages by using https://github.com/xeol-io/xeol. This can be added to CI with relative ease for ongoing reporting.

@terrytangyuan
Copy link
Member

Gorilla projects should be back alive. gorilla/mux#707 (comment)

@jamietanna
Copy link

jamietanna commented Jul 13, 2023

That's cool @tico24 - I've built a similar thing at https://dmd.tanna.dev using https://endoflife.date as well as community-sourced data!

@agilgur5 agilgur5 added the type/dependencies PRs and issues specific to updating dependencies label Sep 1, 2023
@agilgur5 agilgur5 added the go Pull requests that update Go dependencies label Sep 11, 2024
@weafscast
Copy link
Contributor

@agilgur5 wdyt about moving to https://github.com/casbin/govaluate for the meanwhile?

@weafscast
Copy link
Contributor

Removing bellows -> #13591

@agilgur5
Copy link

@agilgur5 wdyt about moving to https://github.com/casbin/govaluate for the meanwhile?

I wouldn't think about it too much as we're going to remove it soon, c.f. #9529, #7831
Casbin having a fork is interesting, though it seems to introduce some new features too, and I'd rather we not to do that given govaluate is on the way out anyway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
go Pull requests that update Go dependencies type/dependencies PRs and issues specific to updating dependencies type/feature Feature request type/tech-debt
Projects
None yet
Development

No branches or pull requests

8 participants