[
https://issues.apache.org/jira/browse/YUNIKORN-2416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yu-Lin Chen updated YUNIKORN-2416:
----------------------------------
Description:
The replace directives should be used when
1. the dependency is indirect, AND
2. the indirect version is too old or has CVEs/compatibility issues
Once the replace directives are setup, we won't remove the replace directive
even if the issues are fixed in newer indirect version. One reason is to
reduce maintenance effort. Another reason is that we can't ensure that the poor
dependency won't be pull back in later indriect release.
Please refer to the PR discussion for more details:
* https://github.com/apache/yunikorn-k8shim/pull/794
We maintain the replace directives with moderate effort.
For example: core repo has following deps in the replace
golang.org/x/crypto => golang.org/x/crypto v0.18.0
this should be changed to 0.19.0 since the indirect version is v0.19.0
golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
this should be removed since we don't use it actually, and golangci-lint is
replacement in our CI.
golang.org/x/net => golang.org/x/net v0.20.0
this should be upgrade to v0.21.0
golang.org/x/sys => golang.org/x/sys v0.16.0
this should be changed to v0.17.0 since the indirect version is v0.17.0
golang.org/x/text => golang.org/x/text v0.14.0
this should be kept even if the indirect version is v0.14.0
golang.org/x/tools => golang.org/x/tools v0.17.0
this should keep in the replace since the resolved version is v0.6.0 and it is
too stale (released on Feb 8, 2023)
was:
The replace directives should be used when
1. the dependency is indirect, AND
2. the indirect version is too old or has CVEs
For example: core repo has following deps in the replace
golang.org/x/crypto => golang.org/x/crypto v0.18.0
this should be removed since the indirect version is v0.19.0
golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
this should be removed since we don't use it actually, and golangci-lint is
replacement in our CI.
golang.org/x/net => golang.org/x/net v0.20.0
this should be removed since this dep is used directly
golang.org/x/sys => golang.org/x/sys v0.16.0
this should be removed since the indirect version is v0.17.0
golang.org/x/text => golang.org/x/text v0.14.0
this should be removed since the indirect version is v0.14.0
golang.org/x/tools => golang.org/x/tools v0.17.0
this is the only one we should keep in the replace since the resolved version
is v0.6.0 and it is too stale (released on Feb 8, 2023)
> Cleanup replace directives
> --------------------------
>
> Key: YUNIKORN-2416
> URL: https://issues.apache.org/jira/browse/YUNIKORN-2416
> Project: Apache YuniKorn
> Issue Type: Improvement
> Reporter: Chia-Ping Tsai
> Assignee: Yu-Lin Chen
> Priority: Minor
> Labels: pull-request-available
> Fix For: 1.5.0
>
>
> The replace directives should be used when
> 1. the dependency is indirect, AND
> 2. the indirect version is too old or has CVEs/compatibility issues
> Once the replace directives are setup, we won't remove the replace directive
> even if the issues are fixed in newer indirect version. One reason is to
> reduce maintenance effort. Another reason is that we can't ensure that the
> poor dependency won't be pull back in later indriect release.
> Please refer to the PR discussion for more details:
> * https://github.com/apache/yunikorn-k8shim/pull/794
> We maintain the replace directives with moderate effort.
> For example: core repo has following deps in the replace
> golang.org/x/crypto => golang.org/x/crypto v0.18.0
> this should be changed to 0.19.0 since the indirect version is v0.19.0
> golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
> this should be removed since we don't use it actually, and golangci-lint is
> replacement in our CI.
> golang.org/x/net => golang.org/x/net v0.20.0
> this should be upgrade to v0.21.0
> golang.org/x/sys => golang.org/x/sys v0.16.0
> this should be changed to v0.17.0 since the indirect version is v0.17.0
> golang.org/x/text => golang.org/x/text v0.14.0
> this should be kept even if the indirect version is v0.14.0
> golang.org/x/tools => golang.org/x/tools v0.17.0
> this should keep in the replace since the resolved version is v0.6.0 and it
> is too stale (released on Feb 8, 2023)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
