In #90, I reported a vulnerability that strfmt users have started to see reports of, due to the strfmt->mongo-db-driver->packr dependency chain. As soon as a new version of mongo-db-driver is available that bumps its packr dependency, we should change this project to use the newer mongo-db-driver version in order to avoid the vulnerability.

However, while looking for alternate ways to address the vulnerability, I noticed that the only real dependency that the strfmt project has on mongo-db-driver is its "bson" package. So, I was wondering about the feasibility of removing the mongo-db-driver dependency altogether. Is there perhaps an alternate implementation of the "bson" functionality that would suffice? Perhaps there's a way to extract out the mongo-db-driver "bson" package into its own module so that strfmt can depend on just that by itself?
Removing the mongo-db-driver dependency would also significantly reduce the dependency drag currently associated with the project.

Previously https://github.com/go-mgo/mgo was an alternative, but it has been deprecated. I am not aware of any replacement.

The driver package and the associated BSON implementation are maintained by MongoDB, Inc. I think it would be better to use the one instead of alternatives.

That being said, the entire MongoDB driver is too much for what this package needs. It would be great if they can separate BSON from the MongoDB driver.

Another alternative may be making BSON part separate from this package, but this wouldn't straightforward.

I wonder if the MongoDB folks would be willing to separate out their BSON functionality into a different package. That way, strfmt and the Mongo driver packages could both prereq it as needed.

I'm not in favor of using alternative packages except for the official ones. Unofficial implementations tend to bitrot as people move on, so to ensure compatibility it's safer to depend on the official package for longer term. The reason mgo got removed was for this exact reason.

However if mongodb folks could split off bson or just even put a go.mod file in that directory we should be good.