Skip to content

drop transitive dependency on github.com/stretcher/testify for consumers #449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bmoffatt opened this issue Jun 30, 2022 · 1 comment
Closed

drop transitive dependency on github.com/stretcher/testify for consumers #449

bmoffatt opened this issue Jun 30, 2022 · 1 comment

Comments

@bmoffatt
Copy link
Collaborator

🤷‍♂️ Did this trigger a warning in a consuming package you have? The dependency only comes in for running this package's unit tests, so it'd interesting & unexpected if the vulnerable dependency was being transitively picked up in the consumer.

bryan@air yolo % cat main.go
package main

import (
	"github.com/aws/aws-lambda-go/lambda"
)

func main() {
	lambda.Start(func() {})
}

bryan@air yolo % cat go.mod
module yolo

go 1.18

require github.com/aws/aws-lambda-go v1.32.0

bryan@air yolo % cat go.sum
github.com/aws/aws-lambda-go v1.32.0 h1:i8MflawW1hoyYp85GMH7LhvAs4cqzL7LOS6fSv8l2KM=
github.com/aws/aws-lambda-go v1.32.0/go.mod h1:IF5Q7wj4VyZyUFnZ54IQqeWtctHQ9tz+KhcbDenr220=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=

ahh, must be because of the gitHub.com/aws/aws-lambda-go/test package being in the repo

https://github.com/aws/aws-lambda-go/blob/main/events/test/jsoncompare.go#L8

Originally posted by @bmoffatt in #446 (comment)

Dropping a go.mod into the folder might be sufficient to break the resolution for consumers, unless of course there's an explicit import of github.com/aws/aws-lambda-go/events/test.

May also consider deleting the package, as it doesn't provide value over direct use of testify in the _test.go files. However... I know I've seen an internal codebase of ours import from this package, so that'd be a breaking change for someone else's unit testing.
@bmoffatt
Copy link
Collaborator Author

After reading about go test all, I believe that removing these entries from a consumer's go.sum file isn't feasible

@bmoffatt bmoffatt closed this as not planned Won't fix, can't repro, duplicate, stale Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bmoffatt