Circular dependency with testify

stretchr / objx

Go package for dealing with maps, slices, JSON and other data.

MIT License

687 stars 75 forks source link

Circular dependency with testify #124

Closed kaovilai closed 11 months ago

kaovilai commented 1 year ago

objx requires github.com/stretchr/testify v1.7.1 github.com/stretchr/testify requires objx v0.4.0

Would be cool if it could be avoided. No other reason in particular.

hanzei commented 1 year ago

Can you elaborate on why this needs fixing? Did you run into any issues?

kaovilai commented 1 year ago

Just a go.sum eyesore that's all.

For some reason golang don't prevent module circular dependency but does at the package level.

gildas commented 1 year ago

It also makes snyk complain about security issues (these issues should be gone from testify 1.8.0): SNYK-GOLANG-GOPKGINYAMLV3-2841557, SNYK-GOLANG-GOPKGINYAMLV3-2952714

joaocbarbosa commented 1 year ago

facing the same problem of @gildas on a Snyk pipeline. But checking out the code, I noticed that the problem was already fixed on master branch, maybe what is missing is generate a new package release.

geseq commented 1 year ago

created a new release

joaocbarbosa commented 1 year ago

thank you so much @geseq.

just a question, the old version of objx still be used by testify 1.8.0, and by that, indirectly, is using a vulnerable version of the yaml.v3 package, as the dependency tree below:

- testify v1.8.0
   - objx v0.4.0
      - testify v1.7.1
         - yaml.v3 v3.0.0

Vulnerability found here: https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml

Is threre any schedule for dependabot to run and update it?

geseq commented 1 year ago

Sorry I have no idea. You’d have to ask this in the testify repo

rohanthewiz commented 1 year ago

I created this issue in the testify repo: https://github.com/stretchr/testify/issues/1292. We might need to add a new tag for objx (maybe v0.5.1), so as to stop the backwards pointing to older, vulnerable versions.

Currently here in objx, the bump to testify 1.8.1 is after the v0.5.0 tag:

> git log --oneline -3
c0315e5 (HEAD -> master, origin/master, origin/HEAD) Fix a couple typos in the README.md (#128)
40ef69b Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#126)
50a2c06 (tag: v0.5.0) Fix typo in Taskfile (#122)

westy92 commented 1 year ago

I was able to solve this by adding this to my go.mod file:

exclude github.com/stretchr/testify v1.7.1

dolmen commented 1 year ago

To the maintainer: would you accept a PR that would drop the use of testify and just use testing? This would fix that dependency circle forever. I'm ready to do the work.

dolmen commented 1 year ago

I found an easier way to help Go break the cycle. See #140. Thanks to @westy92 and @mgibson-r7.