Dependabot is asking us to upgrade clickhouse-go because it depends on a vulnerable version of Docker. My reaction was: hmmm, why does clickhouse-go need Docker? After inspecting the repo, it seems the docker package is only needed for tests.
Would the maintainers be open to a PR that updates the release to trim down excess deps which aren't needed by the distributed package, to reduce dependabot burden when depending on this package?
e.g. try running these commands to remove packages that aren't needed for distribution:
rm -rf tests benchmark examples $(git ls-files '*_test.go')
go mod tidy
git diff -- go.mod
this removes a large number of deps:
require (
github.com/ClickHouse/ch-go v0.71.0
github.com/andybalholm/brotli v1.2.0
- github.com/docker/docker v28.5.2+incompatible
- github.com/docker/go-units v0.5.0
github.com/google/uuid v1.6.0
- github.com/mkevac/debugcharts v0.0.0-20191222103121-ae1c48aa8615
github.com/paulmach/orb v0.12.0
github.com/shopspring/decimal v1.4.0
- github.com/stretchr/testify v1.11.1
- github.com/testcontainers/testcontainers-go v0.40.0
go.opentelemetry.io/otel/trace v1.41.0
go.yaml.in/yaml/v3 v3.0.4
- golang.org/x/net v0.50.0
)
require go.opentelemetry.io/otel v1.41.0 // indirect
require (
- dario.cat/mergo v1.0.2 // indirect
- github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
- github.com/Microsoft/go-winio v0.6.2 // indirect
- github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
- github.com/containerd/errdefs v1.0.0 // indirect
- github.com/containerd/errdefs/pkg v0.3.0 // indirect
- github.com/containerd/log v0.1.0 // indirect
- github.com/containerd/platforms v0.2.1 // indirect
- github.com/cpuguy83/dockercfg v0.3.2 // indirect
- github.com/davecgh/go-spew v1.1.1 // indirect
- github.com/distribution/reference v0.6.0 // indirect
- github.com/docker/go-connections v0.6.0 // indirect
- github.com/ebitengine/purego v0.8.4 // indirect
- github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-faster/city v1.0.1 // indirect
github.com/go-faster/errors v0.7.1 // indirect
- github.com/go-logr/logr v1.4.3 // indirect
- github.com/go-logr/stdr v1.2.2 // indirect
- github.com/go-ole/go-ole v1.2.6 // indirect
- github.com/gorilla/websocket v1.4.2 // indirect
github.com/klauspost/compress v1.18.3 // indirect
- github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
- github.com/magiconair/properties v1.8.10 // indirect
- github.com/moby/docker-image-spec v1.3.1 // indirect
- github.com/moby/go-archive v0.1.0 // indirect
- github.com/moby/patternmatcher v0.6.0 // indirect
- github.com/moby/sys/sequential v0.6.0 // indirect
- github.com/moby/sys/user v0.4.0 // indirect
- github.com/moby/sys/userns v0.1.0 // indirect
- github.com/moby/term v0.5.0 // indirect
- github.com/morikuni/aec v1.0.0 // indirect
- github.com/opencontainers/go-digest v1.0.0 // indirect
- github.com/opencontainers/image-spec v1.1.1 // indirect
+ github.com/kr/pretty v0.3.1 // indirect
github.com/pierrec/lz4/v4 v4.1.25 // indirect
- github.com/pkg/errors v0.9.1 // indirect
- github.com/pmezard/go-difflib v1.0.0 // indirect
- github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+ github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/segmentio/asm v1.2.1 // indirect
- github.com/shirou/gopsutil v3.21.11+incompatible // indirect
- github.com/shirou/gopsutil/v4 v4.25.6 // indirect
- github.com/sirupsen/logrus v1.9.3 // indirect
- github.com/tklauser/go-sysconf v0.3.12 // indirect
- github.com/tklauser/numcpus v0.6.1 // indirect
- github.com/yusufpapurcu/wmi v1.2.4 // indirect
- go.opentelemetry.io/auto/sdk v1.2.1 // indirect
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
- go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
- go.opentelemetry.io/otel/metric v1.41.0 // indirect
- go.opentelemetry.io/proto/otlp v1.0.0 // indirect
- golang.org/x/crypto v0.48.0 // indirect
golang.org/x/sys v0.41.0 // indirect
- gopkg.in/yaml.v3 v3.0.1 // indirect
+ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
)
Some possible approaches:
- Run these commands in the GitHub workflow before releasing (simplest):
rm -rf tests benchmark examples $(git ls-files '*_test.go') && go mod tidy (this is a little ugly since it mutates the work tree, but maybe this could be done in a separate, temporary git worktree)
- Add modules for the
tests / benchmark packages etc. and introduce go.work (multi-module workspace), and only distribute the root module (more complicated, but maybe better if the release tool is meant to be run locally and you all don't want to mess with the local repo state?)
I would be happy to send draft PRs for either approach (or both approaches, for easier comparison) if the maintainers agree this seems worth improving.
Dependabot is asking us to upgrade
clickhouse-gobecause it depends on a vulnerable version of Docker. My reaction was: hmmm, why doesclickhouse-goneed Docker? After inspecting the repo, it seems the docker package is only needed for tests.Would the maintainers be open to a PR that updates the release to trim down excess deps which aren't needed by the distributed package, to reduce dependabot burden when depending on this package?
e.g. try running these commands to remove packages that aren't needed for distribution:
rm -rf tests benchmark examples $(git ls-files '*_test.go') go mod tidy git diff -- go.modthis removes a large number of deps:
Some possible approaches:
rm -rf tests benchmark examples $(git ls-files '*_test.go') && go mod tidy(this is a little ugly since it mutates the work tree, but maybe this could be done in a separate, temporary git worktree)tests/benchmarkpackages etc. and introducego.work(multi-module workspace), and only distribute the root module (more complicated, but maybe better if thereleasetool is meant to be run locally and you all don't want to mess with the local repo state?)I would be happy to send draft PRs for either approach (or both approaches, for easier comparison) if the maintainers agree this seems worth improving.