Try to consolidate yaml implementations

xnox · xnox · commit 76d1772716f2 · 2026-02-25T12:51:51.000Z
Switch to https://github.com/yaml/go-yaml and upgrade to v4 API. This drops sigs.k8s.io/yaml, downgrades gopkg.in/yaml.v3 to indirect, and otherwise moves us closer to having just go.yaml.in security maintained yaml implementations.
diff --git a/docs/cmd/pipeline-reference-gen/main.go b/docs/cmd/pipeline-reference-gen/main.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 	"text/template"
 
-	"sigs.k8s.io/yaml"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/config"
 
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/charmbracelet/log v0.4.2
 	github.com/docker/cli v29.2.1+incompatible
 	github.com/docker/docker v28.5.2+incompatible
-	github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4
+	github.com/dprotaso/go-yit v0.0.0-20260209000607-dfb86291624d
 	github.com/github/go-spdx/v2 v2.4.0
 	github.com/go-git/go-git/v5 v5.16.5
 	github.com/google/go-cmp v0.7.0
@@ -37,7 +37,7 @@ require (
 	go.opentelemetry.io/otel v1.40.0
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.40.0
 	go.opentelemetry.io/otel/sdk v1.40.0
-	go.yaml.in/yaml/v2 v2.4.3
+	go.yaml.in/yaml/v4 v4.0.0-rc.4
 	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/sync v0.19.0
@@ -46,10 +46,8 @@ require (
 	golang.org/x/text v0.34.0
 	golang.org/x/time v0.14.0
 	gopkg.in/ini.v1 v1.67.1
-	gopkg.in/yaml.v3 v3.0.1
 	mvdan.cc/sh/v3 v3.12.0
 	sigs.k8s.io/release-utils v0.12.3
-	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
@@ -64,8 +62,10 @@ require (
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/tools v0.42.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 )
 
diff --git a/go.sum b/go.sum
@@ -103,8 +103,8 @@ github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pM
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4 h1:JzpdVajvTuXQXL10D0vId1ZcW9alSJ3H0CnZczzz4ec=
-github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4/go.mod h1:lHwJo6jMevQL9tNpW6vLyhkK13bYHBcoh9tUakMhbnE=
+github.com/dprotaso/go-yit v0.0.0-20260209000607-dfb86291624d h1:/USl0X37Afc2SyjRG4/eNrbm4CZRfZLdzwTy9YXxowA=
+github.com/dprotaso/go-yit v0.0.0-20260209000607-dfb86291624d/go.mod h1:k03zg0AFMepR2TrssNeMUISoI0QcX2N58Sl0qPU6MZs=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
@@ -269,8 +269,8 @@ github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
-github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
+github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -392,6 +392,8 @@ go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.4 h1:UP4+v6fFrBIb1l934bDl//mmnoIZEDK0idg1+AIvX5U=
+go.yaml.in/yaml/v4 v4.0.0-rc.4/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -541,5 +543,3 @@ mvdan.cc/sh/v3 v3.12.0 h1:ejKUR7ONP5bb+UGHGEG/k9V5+pRVIyD+LsZz7o8KHrI=
 mvdan.cc/sh/v3 v3.12.0/go.mod h1:Se6Cj17eYSn+sNooLZiEUnNNmNxg0imoYlTu4CyaGyg=
 sigs.k8s.io/release-utils v0.12.3 h1:iNVJY81QfmMCmXxMg8IvvkkeQNk6ZWlLj+iPKSlKyVQ=
 sigs.k8s.io/release-utils v0.12.3/go.mod h1:BvbNmm1BmM3cnEpBmNHWL3wOSziOdGlsYR8vCFq/Q0o=
-sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
-sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/pkg/build/compile.go b/pkg/build/compile.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 
 	"github.com/chainguard-dev/clog"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 	"mvdan.cc/sh/v3/syntax"
 
 	"chainguard.dev/melange/pkg/cond"
diff --git a/pkg/build/package.go b/pkg/build/package.go
@@ -45,7 +45,7 @@ import (
 	"github.com/chainguard-dev/clog"
 	"github.com/psanford/memfs"
 	"go.opentelemetry.io/otel"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 )
 
 // pgzip's default is GOMAXPROCS(0)
diff --git a/pkg/build/pipeline_test.go b/pkg/build/pipeline_test.go
@@ -19,7 +19,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/config"
 	"chainguard.dev/melange/pkg/util"
diff --git a/pkg/cli/rebuild.go b/pkg/cli/rebuild.go
@@ -23,8 +23,8 @@ import (
 	purl "github.com/package-url/packageurl-go"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"go.yaml.in/yaml/v4"
 	"gopkg.in/ini.v1"
-	"gopkg.in/yaml.v3"
 
 	"chainguard.dev/melange/pkg/build"
 	"chainguard.dev/melange/pkg/config"
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -43,7 +43,7 @@ import (
 
 	"github.com/chainguard-dev/clog"
 	"github.com/joho/godotenv"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/util"
 )
diff --git a/pkg/linter/apk.go b/pkg/linter/apk.go
@@ -29,7 +29,7 @@ import (
 	"chainguard.dev/apko/pkg/apk/expandapk"
 	"github.com/chainguard-dev/clog"
 	"github.com/dustin/go-humanize"
-	"go.yaml.in/yaml/v2"
+	"go.yaml.in/yaml/v4"
 	"gopkg.in/ini.v1"
 
 	"chainguard.dev/melange/pkg/config"
diff --git a/pkg/manifest/manifest.go b/pkg/manifest/manifest.go
@@ -9,7 +9,7 @@ import (
 	apkotypes "chainguard.dev/apko/pkg/build/types"
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/yam/pkg/yam/formatted"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/config"
 )
diff --git a/pkg/renovate/bump/bump.go b/pkg/renovate/bump/bump.go
@@ -27,7 +27,7 @@ import (
 
 	"github.com/chainguard-dev/clog"
 	"github.com/dprotaso/go-yit"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/config"
 	"chainguard.dev/melange/pkg/renovate"
diff --git a/pkg/renovate/cache/cache.go b/pkg/renovate/cache/cache.go
@@ -29,7 +29,7 @@ import (
 
 	"github.com/chainguard-dev/clog"
 	"github.com/dprotaso/go-yit"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/renovate"
 	"chainguard.dev/melange/pkg/util"
diff --git a/pkg/renovate/copyright/copyright.go b/pkg/renovate/copyright/copyright.go
@@ -23,7 +23,7 @@ import (
 
 	"github.com/chainguard-dev/clog"
 
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 
 	"chainguard.dev/melange/pkg/license"
 	"chainguard.dev/melange/pkg/renovate"
diff --git a/pkg/renovate/yit.go b/pkg/renovate/yit.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 
 	"github.com/dprotaso/go-yit"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v4"
 )
 
 // NodeFromMapping takes a yaml.Node (a mapping) and uses yit

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ import (`
`45`	`45`	`"github.com/chainguard-dev/clog"`
`46`	`46`	`"github.com/psanford/memfs"`
`47`	`47`	`"go.opentelemetry.io/otel"`
`48`		`- "gopkg.in/yaml.v3"`
	`48`	`+ "go.yaml.in/yaml/v4"`
`49`	`49`	`)`
`50`	`50`
`51`	`51`	`// pgzip's default is GOMAXPROCS(0)`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ import (`
`43`	`43`
`44`	`44`	`"github.com/chainguard-dev/clog"`
`45`	`45`	`"github.com/joho/godotenv"`
`46`		`- "gopkg.in/yaml.v3"`
	`46`	`+ "go.yaml.in/yaml/v4"`
`47`	`47`
`48`	`48`	`"chainguard.dev/melange/pkg/util"`
`49`	`49`	`)`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`apkotypes "chainguard.dev/apko/pkg/build/types"`
`10`	`10`	`"github.com/chainguard-dev/clog"`
`11`	`11`	`"github.com/chainguard-dev/yam/pkg/yam/formatted"`
`12`		`- "gopkg.in/yaml.v3"`
	`12`	`+ "go.yaml.in/yaml/v4"`
`13`	`13`
`14`	`14`	`"chainguard.dev/melange/pkg/config"`
`15`	`15`	`)`