replace github.com/golang/snappy with klauspost/compress/snappy#13048
replace github.com/golang/snappy with klauspost/compress/snappy#13048williammartin merged 1 commit intocli:trunkfrom
Conversation
The github.com/golang/snappy repository was archived and is no longer maintained. klauspost/compress provides a drop-in replacement, which is actively maintained, and the klauspost/compress module is already an existing (indirect) dependency. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
Thanks for your pull request! Unfortunately, it doesn't meet the minimum requirements for review:
Please update your PR to address the above. Requirements:
This PR will be automatically closed in 7 days if these requirements are not met. |
There was a problem hiding this comment.
Pull request overview
Replaces the archived github.com/golang/snappy dependency with the actively maintained drop-in replacement github.com/klauspost/compress/snappy.
Changes:
- Swapped Snappy imports in attestation API code and tests to
github.com/klauspost/compress/snappy. - Updated
go.modto removegithub.com/golang/snappyand addgithub.com/klauspost/compressas a direct dependency (previously indirect). - Cleaned up
go.sumto drop the removedgithub.com/golang/snappychecksums.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/cmd/attestation/api/client.go | Updates Snappy import used for bundle decompression. |
| pkg/cmd/attestation/api/mock_httpClient_test.go | Updates Snappy import used to generate compressed test responses. |
| go.mod | Removes archived module and promotes klauspost/compress to a direct requirement. |
| go.sum | Removes checksums for the dropped github.com/golang/snappy module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🙈 probably should've read contributing.md Let me know if this is still acceptable, without a related ticket @williammartin 😅 |
|
@malancas : since this is changing an underlying dependency of attestation feature set, I thought you and the Package Security team would want to review this. |
|
The change looks solid. @malancas do you know if we have any unit tests that exercises snappy decompress of attestations prior to verification? |
The decompression functionality is tested before verification through tests within trunk/pkg/cmd/attestation/api/client_test.go that call LiveClient#getBundle. We could add more assert statements around the returned bundles. |
CLI: claude-review --pr <URL> GitHub Action: .github/workflows/review.yml for automated PR reviews Structured Markdown output: Summary / Risks / Suggestions / Confidence Score Tested on 2 real GitHub PRs (cli/cli#13046, cli/cli#13048) Payment address: eB51DWp1uECrLZRLsE2cnyZUzfRWvzUzaJzkatTpQV9
|
Thanks for looking! If there were any reasons for not switching that I'm not aware of; happy to close (and no harm done). I noticed the dependency on an archived repo when I was working on buildx; archived doesn't always mean "bad"; some code is just "complete and stable", but then found that @klauspost offered a drop-in replacement; I know his module is well maintained and widely used (❤️❤️❤️), so switching seemed like a logical choice. Of course assuming all fully compatible. |
Switching to the actively maintained dependency makes sense to me. These changes LGTM after reviewing the current code and testing. I'll wait until Monday in case @kommendorkapten or @andyfeller had any other thoughts but thank you for opening the pull request |
|
For sure, no rush, enjoy the weekend!! In case relevant; there is a newer patch-release of this module; I think the patch fixes a bug in the |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
|
Thanks for the PR, @thaJeztah! 🙏 Great to see the changes are transparent, but I need to callout there maybe a bit of concern around the license file in github.com/klauspost/compress. The repo seems to have both BSD-3 and Apache 2 licenses, concatenated in a single file. I need to check if our license extraction script is happy with it. So, please don't merge this until I've confirmed it's safe to do so. |
|
Tl;DR is we're good. We just print a few more licenses (two) that we don't really need to embed. As for the details, these are the extracted licenses by running The extracted licenses belong to the packages we need to build
I think it's fine, but I'd like to have @williammartin confirmation on it as he's our licenses hero. 🦸 |
There was a problem hiding this comment.
It does bear a striking resemblance to me.
If the tests pass and there's nothing obviously concerning, I'm generally fine with dependency changes, otherwise we'll spend forever doing manual validation in response to dependabot. If something breaks, lesson learned!
No worries about the multi-licenses if they are MIT/BSD/Apache permissive licenses. Our license attribution is best-effort, the ecosystem makes it hard to do better. If someone takes an issue then we would try to work something out.
Thanks for the PR.
|
😂 licensing is always tricky! You try to do the right thing, but it's complicated to navigate all the intricate details 😅 - thanks everyone! |
The github.com/golang/snappy repository was archived and is no longer maintained. klauspost/compress provides a drop-in replacement, which is actively maintained, and the klauspost/compress module is already an existing (indirect) dependency.
cc @babakks