Unmaintained dependency go-flags

Question

Unmaintained dependency go-flags

rudyardrichter opened this issue 10 months ago · comments

Rudyard Richter commented 10 months ago

(This isn't really a feature proposal per se, apologies if this is the wrong format!)

Introduction

It appears that the go-flags project is no longer maintained. It would be nice to remove the dependency on go-flags.

Proposal

The current option parsing is probably simple enough to just use the standard library flag package (though the parsing might look different with #1618).

Ben Drucker · Answer 1 · Wed Jul 12 2023 06:16:39 GMT+0800 (China Standard Time)

Feel free to submit a PR if you're interested in contributing this. Otherwise, I don't think we need an open issue here, since "not maintained" is just a negative way to frame "done." If there are maintenance issues going unsolved that affect TFLint then it becomes an issue.

Ben Drucker · Answer 2 · Wed Jul 12 2023 06:18:04 GMT+0800 (China Standard Time)

Not to say this might not change, but it'll likely be for user-facing motivations like subcommands versus an internal refactor because a module isn't getting any more updates.

Rudyard Richter · Answer 3 · Wed Jul 12 2023 06:54:42 GMT+0800 (China Standard Time)

Ok thank you! Just wanted to gauge if such a PR would be welcome.

"not maintained" is just a negative way to frame "done."

In this case, go-flags actually has open bugs and one issue to update a dependency past CVE-affected versions.

Ben Drucker · Answer 4 · Wed Jul 12 2023 07:11:47 GMT+0800 (China Standard Time)

Fair enough, does the CVE apply to TFLint's usage? If so we should retitle this issue around that and fork/vendor/fix immediately, regardless of refactoring plans.

Rudyard Richter · Answer 5 · Wed Jul 12 2023 07:30:05 GMT+0800 (China Standard Time)

At a glance, I don't think it affects tflint; probably just a good idea to move away before other CLI-related work happens.