integrate github.com/pmezard/go-difflib #1198
Conversation
|
It's a good idea but would it not be easier to just pin to the latest version in our I get the problem of what happens if the package vanishes, would vendoring not be an easier solution then? |
go.mod already PINs the version, so that doesn't change anything. Pulling everything into this repo gives the advantage that you don't upgrade to a malicious version by accident. Main advantage of moving all used code into this repo is that you get rid of concerns by using an unmaintained source code, by maintaining it yourself (see all three issues). I've also included only the used functions, which makes the code base smaller.
As far as I understand vendoring it doesn't bring any advantages here, since command like "go get" will still use the original repository and you don't get rid of the dependency. |
|
@boyan-soubachov @ernesto-jimenez, could we have a look at this? |
|
Would love to see this integrated as well. |
|
Looking forward to having github.com/pmezard/go-difflib integrated. |
|
Any update on this ? |
dolmen
added
dependencies
|
We have enough code to maintain and not enough maintainer. We should instead investigate using another library that provides the same features. |
|
How about https://github.com/martinohmann/go-difflib ? |
|
@miguelalcantar Why do you "need" that change? |
@dolmen You closed this PR 3 weeks ago. What do you mean? |
Summary
Since go-difflib is unmaintained since quite some time, the required functions have been taken over into a separate testify package.
Motivation
Unmaintained packages might vanish or be taken over by attackers.
Related issues
Closes #1187
Closes #1159
Closes #736