dolmen
commented
5 months ago Easy to say. But what concrete solution do you suggest? Did you have a look at existing issues?
Closed remycx closed 4 months ago
dolmen
commented
5 months ago Easy to say. But what concrete solution do you suggest? Did you have a look at existing issues?
dolmen
commented
5 months ago @remycx Note also that I have proposed #1579 to unlink Testify from gopkg.in/yaml.v3 (which is as unmaintained as the 2 other dependencies mentioned here, and is, in my opinion, a much higher security risk, not for Testify but for the Go ecosystem in general). Your opinion and review of that PR would be welcome.
dolmen
commented
4 months ago @remycx Dropping abandonned issue.
pohly
commented
5 days ago Is https://github.com/google/go-cmp perhaps a viable replacement for https://github.com/pmezard/go-difflib?
pohly
commented
4 days ago go-cmp might be overkill. A simple diff implementation for two sequences of a comparable type like strings in https://github.com/stretchr/testify/blob/b074924938f86d417f1c9a845c7e8b0784d7f937/assert/assertions.go#L1883-L1891 isn't hard to write - I'll have a look.
Description
https://github.com/pmezard/go-difflib : as quoted, "THIS PACKAGE IS NO LONGER MAINTAINED." ; code hasn't evolved in 9 years. https://github.com/davecgh/go-spew : hasn't been touched in 6 years.
Removing old & dangerous code would lead to a cleaner codebase.
Proposed solution
Use case
Reduce the dependency on outdated & abandoned repositories, to improve the safety of the library, and the potential supply chain attacks.