search

pact-foundation / pact-go

Golang version of Pact. Pact is a contract testing framework for HTTP APIs and non-HTTP asynchronous messaging systems.
http://pact.io
MIT License
828 stars 103 forks source link

feat(installer): Don't use hashicorp/go-getter #392

Closed jjustin closed 3 weeks ago

jjustin commented 2 months ago

Why

Here is a bit of a story behind the provided changes: We are using https://osv.dev/ to find the vulnerable packages in a project that uses pact-go. One of the vulnerable packages is github.com/aws/aws-sdk-go, which is an indirect dependency brought into our project by pact-go. pact-go gets the aws-sdk-go package from github.com/hashicorp/go-getter. Here is some more info on the vulnerability: https://osv.dev/vulnerability/GO-2022-0646. It's a vulnerability that pact-go is not affected with.

Out of curiosity I've looked into where go-getter is used and noticed that it's only usage is to download the library file, yet it brings A LOT of dependencies into the project (over 90% of the go.sum file).

Dropping the usage of go-getter should greatly reduce the dependency tree and make the build smaller

Changes

drop the usage of go-getter and use stdlib's net/http to download the file and compress/gzip to extract the file.

mefellows commented 3 weeks ago

Sorry I lost track of this one, reviewing this now.

mefellows commented 3 weeks ago

Thanks for this - will release this in the next version.

jjustin commented 3 weeks ago

Thanks for taking a look at this