Don't vendor pkg/blackfriday?

[jas4711]

Hi!

This package vendor github.com/russross/blackfriday as github.com/smallstep/cli-utils/pkg/blackfriday.

What is the reason for this vendoring of an external package?

Is it verbatim or do you make critical (or cosmetic..) changes?

I help maintain smallstep/cli-utils for Debian, and there is a preference to not vendor code because it is a security nightmare in case of a security bug in some code that is vendored all over the OS.

Thus, we have patched smallstep/cli-utils to use the version of russross/blackfriday that is available with Debian:

https://salsa.debian.org/go-team/packages/golang-github-smallstep-cli-utils/-/blob/debian/latest/debian/patches/0002-Do-not-vendor-blackfriday.patch?ref_type=heads

All self-tests passes and we haven't received any reports about problems related to this.

However, patching things like this is also a concern, especially when not reported or discussed with upstream. So I wanted to bring this up with you, to have a discussion.

Any thoughts or input on this appreciated.

Thanks,
Simon