module updating (mainly for security bugfix) for gobuffalo families

[sio4]

I am writing this issue to track/manage a set of PRs of module updating (mainly for security bugfix) for gobuffalo families.

Related PRs

• update bluemonday to 1.0.16, another security fix github_flavored_markdown#5
• updated modules (mainly 'flect' and 'validate') tags#138
• updated modules (github_flavored_markdown and tags) helpers#19
• updated modules (github_flavored_markdown, tags, helpers, and testify) plush#147

Next

• buffalo and pop
• genny, fizz, buffalo-pop, cli will be checked if they need to be updated.

[paganotoni]

@sio4 all set with these PR's LMK when you proceed with gobuffalo/buffalo and gobuffalo/pop. Thanks in advance!

[sio4]

Thanks for that!

Today, I tried to draw a dependency map of pop first (before buffalo) and I would like to update all possible dependencies, but not sure if doing this is valuable. During this progress which is started for fixing a security bug on bluemonday, I found many of the submodules are already outdated even some of them have bugfixes. What do you think? Is it valuable? If you think so, I will try to update them (most of) all.

Bold are current version and other boxes are old. by the way, do we have any tools to find it automatically? :-)

[paganotoni]

It is definitely valuable, while you put together those update PR's I also saw some of those repos are being tested with old versions of Go and are using the master branch and I took your PR"s as starting point to update that tooling.

It would definitely be beneficial to update those all. We don't have a tool yet for it.

[sio4]

Thanks for your command @paganotoni ! then I will work from the deepest modules also will try update external dependencies such as testify which is used for many packages (version 1.7.0 or version 1.4.0). I made PR for genny as draft, and will update that with newer versions too!

[sio4]

PRs for current stage, which is for packages without buffalo internal dependencies:

• update modules (external, testify v1.7.0) flect#52
• update modules (external deps. see PR comment) nulls#7
• update modules (testify) packd#15
• update modules (testify, go-internal, and godotenv) envy#38
  • removed CurrentPackage() since envy only support go module mode envy#39 (off topic but important)
• update modules (logrus and testify) logger#15

Please take a look at above PRs and release them if there is no issue. Then the next steps will be:

• validte and attrs which depend on flect
• packr which depends on envy and packd

The next would be tags which depends on validate. (followed by helpers, plush, and so on)

Updated dependency map:

[sio4]

Additionally, I found the version control for packr is now not the best solution for go module. I would like to fix this before proceeding with this module updating. Please take a look at my suggestion on gobuffalo/packr#294 and consider if the proposal could be a solution for it. Currently, the tree structure has circular reference and it makes maintaining module dependencies harder.

[sio4]

Started checking dependencies for buffalo, updated some modules, and updated the dependency map.

• update modules (testify and sessions) httptest#16
• update modules (testify) events#8
• Updated module dependencies and fixed package test here#9

[paganotoni]

@sio4 covered the first part, while on it I did update all of those repos to use github actions.

[sio4]

Thank you! I submitted PRs for packages using flect just a minute ago. Will continue for others. By the way, I would like to change directory structure of packr as suggested here. gobuffalo/packr#294 What do you think?

[sio4]

updated packages that use flect.

• updated modules (flect, testify, uuid) validate#28
• updated modules (flect, testify) attrs#3
• updated dependencies for v0 and fixed gobuffalo/buffalo#2154 meta#10 (quick fix for Running "Buffalo new" I get "Error: exit status 2" #2154)
• made master branch to be v2 and updated dependencies packr#295

[sio4]

For those PRs which is not yet reviewed, I just fixed workflow to run go 1.16 and 1.17, also added a badge for the action. I hope it could help your work!

[sio4]

@paganotoni Could you please take a look at the open PRs above? By dependency chain, they are needed to be merged before the next steps.

[sio4]

Just PRed gobuffalo/meta#12.

Current blocking PRs are gobuffalo/validate#28 and gobuffalo/attrs#3 (gobuffalo/tags depends on them).

[sio4]

PRed gobuffalo/tags#139.

Current blocking PR is gobuffalo/packr#295 and gobuffalo/tags#139, next will be helpers followed by plush.

[sio4]

Currently, gobuffalo/genny#41 and gobuffalo/fizz#108 are open. Then next will be pop and buffalo!

Today's dependency map is here!

[sio4]

Phase 1 of the original plan is almost done. Currently buffalo and pop are not finished but it will be done by @fasmat 's work on packr to embed migration.

By the way, originally cli, suite, middleware, cli plugins, and other tools were the target of the next phase. Some of them already have some progress.

Current ongoing PRs:

• upgraded to use meta/v2, removed packr, and updated modules clara#7
• Deprecating packr buffalo-goth#43
• Deprecating packr buffalo-auth#85
• updated and fixed package dependencies, etc. buffalo-heroku#18

[sio4]

Current dependencies

buffalo and pop

cli and major plugins

[fasmat]

With the next release of gobuffalo/buffalo the dependency tree should become quite a bit smaller, we should also avoid overwriting transient dependencies with replace or go get -u (which adds // indirect directives). This also makes the dependency tree significantly smaller

[sio4]

The final dependency graph for buffalo v0.18 as of today, once three remaining PRs are merged.

• Deprecating packr buffalo-goth#43
• Deprecating packr buffalo-auth#85
• updated and fixed package dependencies, etc. buffalo-heroku#18

[sio4]

All PRs were merged even though some of them are not yet released. Closing the issue now.