chore(deps): Track deprecated indirect dependencies #372
Description
Summary
Several indirect dependencies are deprecated or archived. These are pulled in by upstream packages (etcd, consul, grpc) and cannot be directly removed. This issue tracks them for awareness and monitoring.
Deprecated Indirect Dependencies
| Package | Status | Pulled In By |
|---|---|---|
github.com/gogo/protobuf |
Deprecated/Archived | go.etcd.io/etcd/client/v3 |
github.com/golang/protobuf |
Deprecated | go.etcd.io/etcd/client/v3, google.golang.org/grpc |
github.com/mitchellh/mapstructure |
Archived (July 2024) | github.com/hashicorp/consul/api |
Why We Can't Remove Them
$ go mod why github.com/mitchellh/mapstructure
github.com/abtreece/confd/pkg/backends/consul
github.com/hashicorp/consul/api
github.com/mitchellh/mapstructure
These are transitive dependencies from our backend clients.
Upstream Tracking
- etcd: The etcd team is aware of the gogo/protobuf deprecation. The client v3.6.x still uses it.
- consul: HashiCorp consul/api uses mapstructure. The
go-viper/mapstructurefork exists but consul hasn't migrated yet. - grpc: grpc-go uses golang/protobuf for compatibility but internally uses google.golang.org/protobuf.
Action Items
- Monitor etcd releases for protobuf migration
- Monitor consul/api releases for mapstructure migration
- Update upstream dependencies when migrations are complete
- Periodically run
go mod tidyand check for security advisories
Priority
Low - These are indirect dependencies we cannot control. Monitor upstream projects.
References
- https://github.com/gogo/protobuf (deprecated)
- https://github.com/golang/protobuf (deprecated, use google.golang.org/protobuf)
- https://github.com/mitchellh/mapstructure (archived)
- https://github.com/go-viper/mapstructure (maintained fork)
- Remove gogo protobuf dependency for Kubernetes API types kubernetes/enhancements#5589 (K8s tracking gogo removal)