Skip to content

Don't vendor pkg/blackfriday? #215

@jas4711

Description

@jas4711

Hi!

This package vendor github.com/russross/blackfriday as github.com/smallstep/cli-utils/pkg/blackfriday.

What is the reason for this vendoring of an external package?

Is it verbatim or do you make critical (or cosmetic..) changes?

I help maintain smallstep/cli-utils for Debian, and there is a preference to not vendor code because it is a security nightmare in case of a security bug in some code that is vendored all over the OS.

Thus, we have patched smallstep/cli-utils to use the version of russross/blackfriday that is available with Debian:

https://salsa.debian.org/go-team/packages/golang-github-smallstep-cli-utils/-/blob/debian/latest/debian/patches/0002-Do-not-vendor-blackfriday.patch?ref_type=heads

All self-tests passes and we haven't received any reports about problems related to this.

However, patching things like this is also a concern, especially when not reported or discussed with upstream. So I wanted to bring this up with you, to have a discussion.

Any thoughts or input on this appreciated.

Thanks,
Simon

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions