Remove old golang dependencies

[nitrocode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

• I'd be willing to implement this feature (contributing guide)

Describe the user story

There are a lot of dependencies that may not be needed. Some dependencies are years old and could be vulnerable. The fewer dependencies, the less risk.

Describe the solution you'd like

It would be good to audit our dependencies and find ones that could be easily replaced or removed. We should use non forks if possible unless there is a good reason to use a fork.

It would also be good to scrutinize new PRs with additional dependencies to ensure we do not unnecessarily increase our exposure. For example, we should never use a dependency that is a fork or archived, possibly abandoned, not widely used, has old dependencies, or open security issues.

List of current dependencies https://github.com/runatlantis/atlantis/network/dependencies

Some old dependencies from a cursory look

Analyzing these will simplify dependent management via renovatebots dashboard #2818

Direct

archived

• https://github.com/golang/exp
  • this whole dependency is for deprecated packages. We should remove it if possible
  • resolved by chore: remove x/exp package #3085
• dec 2020 - archived - https://github.com/pkg/errors
  • Package errors looking for new maintainers pkg/errors#245
  • replace with errors

archived no longer

• https://github.com/gorilla/mux
  • ⚠️ The Gorilla Toolkit is Looking for a New Maintainer gorilla/mux#659
• https://github.com/gorilla/websocket

old

• https://github.com/petergtz/pegomock
  • we use 3.x - 2023
  • latest is 4.x - 2023
  • chore(deps): bump pegomock v3.0.1 #3515
  • fix(deps): update module github.com/petergtz/pegomock/v3 to v4 #3534
• https://github.com/uber-go/tally
  • we use 3.x
  • latest is 4.x
  • https://github.com/uber-go/tally/releases/tag/v4.1.7
  • upgrading will remove having to upgrade fix(deps): update github.com/cactus/go-statsd-client/statsd digest to 1cec395 in go.mod #2813
• jul 2021 - https://github.com/spf13/pflag
  • drop in replacement for go flags
  • there isnt really an alternative here
• apr 2020 - we're using 2 versions of the same github package
  • github.com/google/go-github/v31/github
  • github.com/google/go-github/v48/github
  • resolved by chore(deps): Use go-github v48 #2839
• feb 2020 - fork - https://github.com/nlopes/slack
  • issue Use official slack/slack-go client #2667
  • slack client
  • latest non fork is 2022
  • resolved by Use official slack/slack-go library #2669
• jan 2019 - https://github.com/mitchellh/go-homedir
  • resolved even though it's old, it doesn't use any dependencies so nothing needs to be updated
• 2015 - archived fork - https://github.com/flynn-archive/go-shlex
  • dec 2019 - no deps - https://github.com/google/shlex
  • resolved by chore(deps): Use google/shlex #2840

For testing

These do not get compiled with Atlantis

• aug 2018 - https://github.com/davecgh/go-spew
  • deep pretty printer
  • alternate from 2022 https://github.com/kr/pretty
  • resolved by chore(dependency): Swap go-spew with kr/pretty #3108
• moby/moby
  • resolved by chore(dependency): Swap moby with patternmatcher #3106

Indirect

These come from other dependencies and need to be analyzed to find the direct source

https://stackoverflow.com/a/68927825/2965993

• nov 2021 - https://github.com/benbjohnson/clock
• mar 2021 - https://github.com/asaskevich/govalidator
• feb 2021 - https://github.com/apparentlymart/go-textseg
  • grapheme cluster unicode text algorithm
  • alternative from 2022 https://github.com/rivo/uniseg
• oct 2020 - https://github.com/agext/levenshtein
• aug 2020 - https://github.com/dgryski/go-rendezvous
  • rendezvous hashing
• may 2020 - fork - https://github.com/alicebob/gopher-json
  • latest non fork is nov 2020
• jul 2019 - fork - https://github.com/beorn7/perks
  • latest non fork is sep 2022
• jun 2019 - archived - https://github.com/gorilla/css
  • a css3 tokenizer
• mar 2018 - https://github.com/aymerick/douceur
  • css parser
  • alternative from 2022 https://github.com/napsy/go-css
• 2014 - fork - https://github.com/bgentry/go-netrc
  • netrc parser
  • latest non fork is 2016
  • alternate from 2022 https://github.com/jdxcode/netrc

Some tools that may be useful

• https://github.com/google/osv-scanner
• https://github.com/resotto/gochk
• https://github.com/loov/goda
• https://pkg.go.dev/github.com/Helcaraxan/gomod
• https://stackoverflow.com/a/68927825/2965993
• https://github.com/google/osv-scanner

Here are all the go.mod code references sorted in ascending order

✗ grep -v indirect go.mod | grep -v ^module | grep github.com | awk '{ print $1 }' | sort | uniq | while read dep; do echo $(grep -r $dep **/*.go | wc -l):$dep; done | sort -n
1:github.com/Masterminds/sprig/v3
1:github.com/agext/levenshtein
1:github.com/alicebob/miniredis/v2
1:github.com/bradleyfalzon/ghinstallation/v2
1:github.com/briandowns/spinner
1:github.com/cactus/go-statsd-client/v5
1:github.com/go-test/deep
1:github.com/golang-jwt/jwt/v5
1:github.com/hashicorp/go-getter/v2
1:github.com/kr/pretty
1:github.com/microcosm-cc/bluemonday
1:github.com/mitchellh/colorstring
1:github.com/redis/go-redis/v9
1:github.com/remeh/sizedwaitgroup
1:github.com/spf13/pflag
1:github.com/warrensbox/terraform-switcher
2:github.com/google/shlex
2:github.com/hashicorp/terraform-config-inspect
2:github.com/mohae/deepcopy
2:github.com/shurcooL/githubv4
2:github.com/urfave/negroni/v3
3:github.com/gorilla/websocket
3:github.com/hashicorp/go-multierror
3:github.com/hashicorp/hcl/v2
3:github.com/moby/patternmatcher
3:github.com/spf13/viper
4:github.com/go-playground/validator/v10
4:github.com/mitchellh/go-homedir
5:github.com/google/uuid
5:github.com/spf13/cobra
6:github.com/slack-go/slack
7:github.com/gorilla/mux
13:github.com/mcdafydd/go-azuredevops
13:github.com/stretchr/testify
14:github.com/xanzy/go-gitlab
16:github.com/go-ozzo/ozzo-validation
23:github.com/uber-go/tally/v4
26:github.com/google/go-github/v53
53:github.com/pkg/errors
60:github.com/hashicorp/go-version
227:github.com/petergtz/pegomock/v3

Describe the drawbacks of your solution

Potential breakage of the app unless proper unit and integration test coverage is there.

Describe alternatives you've considered

None

[chenrui333]

This is very nice!!