Here is a bit of a story behind the provided changes:
We are using https://osv.dev/ to find the vulnerable packages in a project that uses pact-go. One of the vulnerable packages is github.com/aws/aws-sdk-go, which is an indirect dependency brought into our project by pact-go.
pact-go gets the aws-sdk-go package from github.com/hashicorp/go-getter.
Here is some more info on the vulnerability: https://osv.dev/vulnerability/GO-2022-0646. It's a vulnerability that pact-go is not affected with.
Out of curiosity I've looked into where go-getter is used and noticed that it's only usage is to download the library file, yet it brings A LOT of dependencies into the project (over 90% of the go.sum file).
Dropping the usage of go-getter should greatly reduce the dependency tree and make the build smaller
Changes
drop the usage of go-getter and use stdlib's net/http to download the file and compress/gzip to extract the file.
Why
Here is a bit of a story behind the provided changes: We are using https://osv.dev/ to find the vulnerable packages in a project that uses
pact-go
. One of the vulnerable packages is github.com/aws/aws-sdk-go, which is an indirect dependency brought into our project bypact-go
.pact-go
gets theaws-sdk-go
package fromgithub.com/hashicorp/go-getter
. Here is some more info on the vulnerability: https://osv.dev/vulnerability/GO-2022-0646. It's a vulnerability thatpact-go
is not affected with.Out of curiosity I've looked into where
go-getter
is used and noticed that it's only usage is to download the library file, yet it brings A LOT of dependencies into the project (over 90% of thego.sum
file).Dropping the usage of
go-getter
should greatly reduce the dependency tree and make the build smallerChanges
drop the usage of
go-getter
and use stdlib'snet/http
to download the file andcompress/gzip
to extract the file.