Dependency on "testing" from "google.golang.org/grpc/experimental/stats"

[aaronbee]

What version of gRPC are you using?

v1.66.0

What version of Go are you using (go version)?

v1.22

What operating system (Linux, Windows, …) and version?

N/A

What did you do?

Verified my code didn't depend on "testing" in production binaries.

What did you expect to see?

No production dependency on "testing".

What did you see instead?

$ go list -deps google.golang.org/grpc | grep testing
testing

This comes from https://github.com/grpc/grpc-go/blob/005b092ca3c279e352f1247c4316b0351dec3a56/experimental/stats/metricregistry.go#L255

[aaronbee]

To add a bit more color here, in our repo we check for unexpected dependencies of our binaries. This is done to reduce binary bloat, to avoid side effects of those dependencies (eg. importing "testing" use to register flags that are exposed by the final binary, but this is no longer the case), and just generally to have a cleaner dependency tree.

A dependency we disallow in production binaries is "testing", which is how we noticed that grpc started depending on it.

[easwars]

@aaronbee : Thanks for filing this issue. How do you check for unexpected dependencies of your binaries in your repo? Is that something that you can share with us?

[aaronbee]

We have a small program (that's not open source, sorry) that uses golang.org/x/tools/go/packages to load a package and walk its dependency tree, reporting any uses of forbidden dependencies. Another simple way to this is with go list -deps which will just print out all the dependencies of a package.

[easwars]

The change to remove the testing dependency got merged in https://github.com/grpc/grpc-go/pull/7579. Now, we need to do a patch release for this, and also need to think about if we want to add something simple like go list -deps google.golang.org/grpc | grep testing to our vet.sh.

[AlekSi]

Do you have any timeline for the patch release?

[AlekSi]

Actually, it was released in 1.66.2. So this issue probably could be closed.