change yaml library to go.yaml.in/yaml/v3#1772
change yaml library to go.yaml.in/yaml/v3#1772boekkooi-impossiblecloud wants to merge 2 commits intostretchr:masterfrom
Conversation
The [go-yaml](https://github.com/go-yaml/yaml/) project was archived on Apr 1, 2025 and is no longer maintained. Luckily the official YAML organization forked the project and is maintaining it under https://github.com/yaml/go-yaml/tree/v3.
|
There is work in progress about the license of that project: yaml/go-yaml#6 So we should block until that is stabilized. |
License of go-yaml has changed to Apache now. This PR can move forward |
|
The change are only on main branch for now. go-yaml has only released -rc for now for the v4. It might be a bit early |
|
I'd like to see this PR merged, with the v3 tag it now has, while the YAML organization works on v4. That move would make it easier to get buy-in for using Testify at organizations that balk at running abandonware. The main branch's README received a July 30 update that makes it clear that v3 will receive security updates. |
|
I think this is good to be merged, so instantly all indirect dependencies to the archive repo would disappear. |
* fixes go-openapi#127 The direct dependencies to this archived repo have been replaced by the active fork imported from go.yaml.in/yaml/v3. NOTE: an indirect dependency remains from stretchr/testify. There is an open PR there to solve this stretchr/testify#1772. There is not much I can do here to remove this indirect test dependency. Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
* fixes #127 The direct dependencies to this archived repo have been replaced by the active fork imported from go.yaml.in/yaml/v3. NOTE: an indirect dependency remains from stretchr/testify. There is an open PR there to solve this stretchr/testify#1772. There is not much I can do here to remove this indirect test dependency. Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
|
The majority of testify users would need to wait until we make a release to benefit from this. Recently we've been on a (very) approximate 6-monthly release cadence, that's not to say we couldn't release earlier than expected to mitigate this and another EOL dependency. My point is that there isn't a pressing need to rush this. We really do want to merge this, but v4 is in release candidate so I don't think it will be all that long now. |
|
Happy New Year! Would be nice to see this merged- it's our only remaining dependency on the old library... |
This was not completly finished in the last one. It is a problem of testify, but they are working on it (see stretchr/testify#1772). This hopefully fixes that
This was not completely finished in the last one. It is a problem of testify, but they are working on it (see stretchr/testify#1772). This hopefully fixes that --------- Co-authored-by: Nico Haas <nico.haas@aisec.fraunhofer.de>
| gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= | ||
| gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||
| gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= |
There was a problem hiding this comment.
Why is gopkg.in/yaml.v3@v3.0.1 still referenced here? A go mod tidy is probably missing...
There was a problem hiding this comment.
@dolmen running go mod tidy has no effect as go mod graph show that github.com/stretchr/objx has a dependency on go.yaml.in/yaml/v3.
However, based on stretchr/objx#146 this seems to be a circular dependency on testify.
In my opinion as no for gopkg.in/yaml.v3 is downloaded this should not be a blocker.
> go mod graph
github.com/stretchr/testify go.yaml.in/yaml/v3@v3.0.4
github.com/stretchr/objx@v0.5.2 github.com/davecgh/go-spew@v1.1.1
github.com/stretchr/objx@v0.5.2 github.com/pmezard/go-difflib@v1.0.0
github.com/stretchr/objx@v0.5.2 gopkg.in/yaml.v3@v3.0.1
go.yaml.in/yaml/v3@v3.0.4 gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405
There was a problem hiding this comment.
I could update to github.com/stretchr/objx@v0.5.3 which removes the testify dependency if you prefer.
Summary
The go-yaml project was archived on Apr 1, 2025 and is no longer maintained. Luckily the official YAML organization forked the project and is maintaining it under https://github.com/yaml/go-yaml/tree/v3.
Changes
Replaced all occurrences of
gopkg.in/yaml.v3withgo.yaml.in/yaml/v3Motivation
go-yaml was archived on Apr 1.
Related issues