Development policy: how are new dependencies added, existing updated or old ones removed?

[ottok]

I noticed the GitHub cli dependency list is now 54 packages at https://github.com/cli/cli/blob/trunk/go.mod#L7-L63

require (
	github.com/AlecAivazis/survey/v2 v2.3.7
	github.com/MakeNowJust/heredoc v1.0.0
	github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
	github.com/briandowns/spinner v1.23.2
	github.com/cenkalti/backoff/v4 v4.3.0
	github.com/cenkalti/backoff/v5 v5.0.2
	github.com/charmbracelet/glamour v0.10.0
	github.com/charmbracelet/huh v0.7.0
	github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
	github.com/cli/go-gh/v2 v2.12.1
	github.com/cli/go-internal v0.0.0-20241025142207-6c48bcd5ce24
	github.com/cli/oauth v1.2.0
	github.com/cli/safeexec v1.0.1
	github.com/cpuguy83/go-md2man/v2 v2.0.7
	github.com/creack/pty v1.1.24
	github.com/digitorus/timestamp v0.0.0-20250524132541-c45532741eea
	github.com/distribution/reference v0.6.0
	github.com/gabriel-vasile/mimetype v1.4.9
	github.com/gdamore/tcell/v2 v2.8.1
	github.com/golang/snappy v1.0.0
	github.com/google/go-cmp v0.7.0
	github.com/google/go-containerregistry v0.20.6
	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
	github.com/gorilla/websocket v1.5.3
	github.com/hashicorp/go-multierror v1.1.1
	github.com/hashicorp/go-version v1.7.0
	github.com/henvic/httpretty v0.1.4
	github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec
	github.com/in-toto/attestation v1.1.2
	github.com/joho/godotenv v1.5.1
	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
	github.com/mattn/go-colorable v0.1.14
	github.com/mattn/go-isatty v0.0.20
	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
	github.com/microsoft/dev-tunnels v0.1.13
	github.com/muhammadmuzzammil1998/jsonc v1.0.0
	github.com/opentracing/opentracing-go v1.2.0
	github.com/rivo/tview v0.0.0-20250625164341-a4a78f1e05cb
	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
	github.com/sigstore/protobuf-specs v0.5.0
	github.com/sigstore/sigstore-go v1.1.0
	github.com/spf13/cobra v1.9.1
	github.com/spf13/pflag v1.0.6
	github.com/stretchr/testify v1.10.0
	github.com/theupdateframework/go-tuf/v2 v2.1.1
	github.com/yuin/goldmark v1.7.12
	github.com/zalando/go-keyring v0.2.6
	golang.org/x/crypto v0.40.0
	golang.org/x/sync v0.16.0
	golang.org/x/term v0.33.0
	golang.org/x/text v0.27.0
	google.golang.org/grpc v1.73.0
	google.golang.org/protobuf v1.36.6
	gopkg.in/h2non/gock.v1 v1.1.2
	gopkg.in/yaml.v3 v3.0.1
)

Are all these dependencies really required?

What is the development policy, how do you vet and decide to add new dependencies?

Not more than 18 months ago the dependency list had only 41 packages at https://github.com/cli/cli/blob/v2.46.0/go.mod#L5C1-L47C2

Graphical diff for reference:

Among these dependencies that were added is Netflix/go-expect and hinshun/vt10x which have no updates in past 3 years and might not be maintained anymore. Do you trust these to still get e.g. security updates?

Of the previous dependencies, google/shlex has not had any updates in 6 years and is officially archived already, and kballard/go-shellquote has not had any updates in 7 years. Package MakeNowJust/heredoc is at version v1.0.0 that is 6 years old, instead of using the latest v2 series. Package hashicorp/go-multierror stopped making tagged releases in 2021, you might want to stop referring to v1.1.1 of it and use git head from 2025 instead. Package gopkg.in/yaml.v3 has been archived last year and seems people have moved to use kubernetes-sigs/yaml instead.

Should GitHub cli perhaps adopt some policy on how dependencies are updated or removed to ensure they don't become too outdated?

Additionally I noticed there are two versions of the same backoff library. Ideally the code base would be updated to only need v5 so that v4 can be dropped.

    github.com/cenkalti/backoff/v4 v4.3.0
    github.com/cenkalti/backoff/v5 v5.0.2

None of these dependencies is urgent to fix. I am only posting this issue here for discussion and input for a potential development policy on how to add/update/remove dependencies going forward. I maintain the package gh in Debian, so I have a vested interest in seeing that the dependencies don't sprawl out and the ones that are used are kept at their latest versions.

[babakks]

Thanks for your valuable feedback and your continued support for gh, @ottok! 🍻

Actually we tend to be super careful when it comes to adding new dependencies; in terms of both security and maintenance. And it's not really a common thing to add new dependencies. Most of the new dependencies you've noticed are due to the addition of the gh attestation command set, and their fresh needs:

• github.com/digitorus/timestamp
• github.com/distribution/reference
• github.com/golang/snappy
• github.com/google/go-containerregistry
• github.com/in-toto/attestation
• github.com/sigstore/protobuf-specs
• github.com/sigstore/sigstore-go
• github.com/theupdateframework/go-tuf/v2

Recently, we have updated our Dependabot configuration to nudge us on any minor/patch release (it was just for patch releases in the past), because we identified we're falling behind on some of our deps.

But that said, we definitely need to review our dependencies and see if there are cases that we can change or drop in favour of simpler inline implementations.

Looking into cases mentioned here

I was just curious to see why we're using these modules that @ottok mentioned, and here's a short report. I thought it'll be helpful for future when we get back to review the deps.

Modules that can be dropped/replaced

• github.com/hashicorp/go-multierror: used in only two commands, and the final combined error value is not used by other parts of the code (i.e. returned as RunE return value). So, this one can be investigated and replaced with simple inline implementation to keep the same behaviour.

• github.com/cenkalti/backoff/v4 and /v5: these are used in two different command sets, codespaces and attestations. Probably we should upgrade codespaces commands to migrate to /v5.

Modules used only in tests

• github.com/Netflix/go-expect
• github.com/hinshun/vt10x
• github.com/yuin/goldmark

Modules not in active development

• github.com/kballard/go-shellquote: potential alternative is github.com/buildkite/shellwords.
• github.com/MakeNowJust/heredoc: we should probably move toward v2 of this module, but even that (v2.0.1) goes back to 2019.

Archived modules

• gopkg.in/yaml.v3: #10784 has been created for this one.
• github.com/google/shlex: used for parsing a command into components. There aren't promising alternatives for it out there. For example, this is a similar issue on kubernetes-sigs/kustomize.

[andyfeller]

As @babakks alluded to, the GitHub CLI maintainers have been working to staying current on GitHub Actions, Go modules, and Go toolchain updates to improve security.

• https://github.com/cli/cli/blob/trunk/.github/dependabot.yml

  drives updates for GitHub Actions and Go go.mod dependencies with the latter picking up minor and patch releases

• https://github.com/cli/cli/blob/trunk/.github/workflows/bump-go.yml

  drives updates for Go toolchain directive so security fixes and improved features from Go maintainers that Dependabot can't support

• https://github.com/cli/cli/blob/trunk/.github/workflows/govulncheck.yml

  drives checking for Go vulnerabilities, doesn't update anything but another mechanism for staying on top of security concerns.

[ReuelAlbert-Dev]

New dependencies are added sparingly and only when absolutely necessary.

[ottok]

Thanks @babakks for a review of the current dependencies and all of you for the replies!

While the Go tooling and Dependabot can help automate bumping dependencies and tracking CVEs, there are many situations the tooling won't detect:

• Widely used libraries that get superseded by built-in features in new Go versions (requires a human to read Go release notes)
• Libraries that slow down or stop publishing new versions, and are superseded by a more popular fork (requires a human reading git network graphs, star counts or download counts)
• Libraries that officially shut down or get archived and start discourage their usage altogether (requires a human to view the project and decide what is the risk level to keep it around without any maintenance)

If tooling could automatically do this, then having the tooling in CI would be enough. But as humans and their judgement are needed for this, some kind of development policy about bi-annual reviews etc or extra approvals process for new dependencies might help with dependency management beyond one-off ad-hoc reviews.

Perhaps add a new section "Dependency guidelines" in https://github.com/cli/cli/blob/trunk/.github/CONTRIBUTING.md#design-guidelines ?

[ferhatelmas]

I thought I could take a stab for this and dropped github.com/hashicorp/go-multierror in #12234 as a starter.