Closed cforce closed 2 months ago
This Markdown list contains all the oudated Go packages and their corresponding versions in a table format. Why are those not bumped by renovator?
I think there are some examples of dependencies listed on that table that are on the latest version, for example spf13/cobra latest version is v1.8.1 and this is the version we use. Could you trim it down to only the outdated dependencies?
Code is not maintained an license is "uncommon"
I am not sure I understand what you posted, but assuming you are talking about https://github.com/alecthomas/kingpin, this dependency seems to have an MIT license (I would say this is a very common license, and it is OSI approved) and has at least monthly activity. Are you talking about a different dependency?
License violates strong copy left
Again, making a guess here but it seems you are talking about github.com/golang/freetype. This one is interesting, the license is not OSI-approved, nothing on the license seems concerning to me but I am not a lawyer. If this is a concern, we can try and reach out to the CNCF so that they help us clarify this
Cobra is a a lucky pick .. but i found a lot with have much newer version listed there . Using snapshots or releases from 2015-2019 ..also feel a bit wired. I thought it is worth mentioning and wonder that those deps are needed or no updates are there which would define the project as dead
go_mod/go.opentelemetry.io/collector:otelcol/v0.106.1/gonum.org/v1/gonum:v0.15.0/git.sr.ht/~sbinet/gg:v0.5.0 Unknown license - >https://git.sr.ht/~sbinet/gg
go-restful v2.9.5 https://github.com/emicklei/go-restful
but i found a lot with have much newer version listed there .
Could you list those ones so we can investigate?
Unknown license - >git.sr.ht/~sbinet/gg
I think this is a MIT license, isn't it? https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md
go-restful v2.9.5 emicklei/go-restful
Same here: https://github.com/emicklei/go-restful/blob/v3/LICENSE and we use the latest version https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/d46a7c30553de71eaea0eeeb4927d0644ed39140/cmd/otelcontribcol/go.mod#L462
Could you list those ones so we can investigate?
I will need more time to run again over it and i am leaving to vacaction soon
I think this is a MIT license, isn't it? https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md
hard to say - its not clear i would say and therefore a risk https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md
go-restful v2.9.5
Is it really latest? Last commit on this version is 5 years old. The releases page not useful https://github.com/emicklei/go-restful/releases but tags shows a lot newer https://github.com/emicklei/go-restful/tree/v3.12.1 Also v2.9.5 might be affected by https://cwe.mitre.org/data/definitions/285.html and https://cwe.mitre.org/data/definitions/625.html and others https://github.com/emicklei/go-restful/issues?q=is%3Aissue+vuln
hard to say - its not clear i would say and therefore a risk git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md
You can compare with the go-restful one, the text is exactly the same (edit: save for the explicit mention to "MIT license" and the copyright header)
Is it really latest? Last commit on this version is 5 years old.
v2.9.5 is not the latest, but we are using v3.11.0 in all modules, not v2.9.5: https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib+go-restful&type=code&p=2
As you can see from this search https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib+go-restful%2Fv2&type=code we are not using v2 anywhere.
i will close this and come up with a new one
Component(s)
No response
What happened?
There are years old versions and currennt available
This Markdown list contains all the oudated Go packages and their corresponding versions in a table format. Why are those not bumped by renovator?
Llicense violates strong copy left
Code is not maintained an license is "uncommon"
Collector version
0.106.1
Environment information
Environment
OS: (e.g., "Ubuntu 20.04") Compiler(if manually compiled): (e.g., "go 14.2")
OpenTelemetry Collector configuration
Log output
No response
Additional context
No response