[jira] [Commented] (YUNIKORN-2416) Cleanup replace directives

Thu, 22 Feb 2024 15:44:14 -0800 


    [ 
https://issues.apache.org/jira/browse/YUNIKORN-2416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17819850#comment-17819850
 ] 

Yu-Lin Chen commented on YUNIKORN-2416:
---------------------------------------

Change the Jira description based on the discussion under this PR:
 * [https://github.com/apache/yunikorn-k8shim/pull/794]

> Cleanup replace directives
> --------------------------
>
>                 Key: YUNIKORN-2416
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-2416
>             Project: Apache YuniKorn
>          Issue Type: Improvement
>            Reporter: Chia-Ping Tsai
>            Assignee: Yu-Lin Chen
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 1.5.0
>
>
> The replace directives should be used when
> 1. the dependency is indirect, AND
> 2. the indirect version is too old or has CVEs/compatibility issues
> Once the replace directives are setup, we won't remove the replace directive 
> even if the issues are fixed in newer indirect version.  One reason is to 
> reduce maintenance effort. Another reason is that we can't ensure that the 
> poor dependency won't be pull back in later indriect release.
> Please refer to the PR discussion for more details:
>  * https://github.com/apache/yunikorn-k8shim/pull/794
> We maintain the replace directives with moderate effort. 
> For example: core repo has following deps in the replace
> golang.org/x/crypto => golang.org/x/crypto v0.18.0
> this should be changed to 0.19.0 since the indirect version is v0.19.0
> golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
> this should be removed since we don't use it actually, and golangci-lint is 
> replacement in our CI.
> golang.org/x/net => golang.org/x/net v0.20.0
> this should be upgrade to v0.21.0
> golang.org/x/sys => golang.org/x/sys v0.16.0
> this should be changed to v0.17.0 since the indirect version is v0.17.0
> golang.org/x/text => golang.org/x/text v0.14.0
> this should be kept even if the indirect version is v0.14.0
> golang.org/x/tools => golang.org/x/tools v0.17.0
> this should keep in the replace since the resolved version is v0.6.0 and it 
> is too stale (released on Feb 8, 2023)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to