[
https://issues.apache.org/jira/browse/YUNIKORN-2416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yu-Lin Chen updated YUNIKORN-2416:
----------------------------------
Description:
The replace directives should be used when
1. the dependency is indirect, AND
2. the indirect version is too old or has CVEs
For example: core repo has following deps in the replace
golang.org/x/crypto => golang.org/x/crypto v0.18.0
this should be removed since the indirect version is v0.19.0
golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
this should be removed since we don't use it actually, and golangci-lint is
replacement in our CI.
golang.org/x/net => golang.org/x/net v0.20.0
this should be removed since this dep is used directly
golang.org/x/sys => golang.org/x/sys v0.16.0
this should be removed since the indirect version is v0.17.0
golang.org/x/text => golang.org/x/text v0.14.0
this should be removed since the indirect version is v0.14.0
golang.org/x/tools => golang.org/x/tools v0.17.0
this is the only one we should keep in the replace since the resolved version
is v0.6.0 and it is too stale (released on Feb 8, 2023)
was:
The replace directives should be used only if
1. the dependency is indirect, AND
2. the indirect version is too old or has CVEs
For example: core repo has following deps in the replace
golang.org/x/crypto => golang.org/x/crypto v0.18.0
this should be removed since the indirect version is v0.19.0
golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
this should be removed since we don't use it actually, and golangci-lint is
replacement in our CI.
golang.org/x/net => golang.org/x/net v0.20.0
this should be removed since this dep is used directly
golang.org/x/sys => golang.org/x/sys v0.16.0
this should be removed since the indirect version is v0.17.0
golang.org/x/text => golang.org/x/text v0.14.0
this should be removed since the indirect version is v0.14.0
golang.org/x/tools => golang.org/x/tools v0.17.0
this is the only one we should keep in the replace since the resolved version
is v0.6.0 and it is too stale (released on Feb 8, 2023)
> Cleanup replace directives
> --------------------------
>
> Key: YUNIKORN-2416
> URL: https://issues.apache.org/jira/browse/YUNIKORN-2416
> Project: Apache YuniKorn
> Issue Type: Improvement
> Reporter: Chia-Ping Tsai
> Assignee: Yu-Lin Chen
> Priority: Minor
> Labels: pull-request-available
> Fix For: 1.5.0
>
>
> The replace directives should be used when
> 1. the dependency is indirect, AND
> 2. the indirect version is too old or has CVEs
> For example: core repo has following deps in the replace
> golang.org/x/crypto => golang.org/x/crypto v0.18.0
> this should be removed since the indirect version is v0.19.0
> golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
> this should be removed since we don't use it actually, and golangci-lint is
> replacement in our CI.
> golang.org/x/net => golang.org/x/net v0.20.0
> this should be removed since this dep is used directly
> golang.org/x/sys => golang.org/x/sys v0.16.0
> this should be removed since the indirect version is v0.17.0
> golang.org/x/text => golang.org/x/text v0.14.0
> this should be removed since the indirect version is v0.14.0
> golang.org/x/tools => golang.org/x/tools v0.17.0
> this is the only one we should keep in the replace since the resolved version
> is v0.6.0 and it is too stale (released on Feb 8, 2023)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
