… per https://github.com/go-yaml/yaml?tab=readme-ov-file#this-project-is-unmaintained .
We use it for configuration, not for consuming external data, so this should not cause security risks, but, still…
It’s not very clear what to move to. https://github.com/kubernetes-sigs/yaml == sigs.k8s.io/yaml contains a fork of yaml.v3, and Buildah/Podman already depend on that package, so that seems to be a good candidate. But, also, the last tagged release is from Oct 24, 2023 ; and the way the package is used, they include sigs.k8s.io/yaml/goyaml.v2, not sigs.k8s.io/yaml/goyaml.v3.
Short-term, it’s slightly annoying that there are many users of yaml.v3, some somewhat slow-moving, so if we moved, we would probably end up carrying two copies of the code for some time.
I think that for now, waiting a bit and seeing whether a consensus emerges doesn’t hurt.
… per https://github.com/go-yaml/yaml?tab=readme-ov-file#this-project-is-unmaintained .
We use it for configuration, not for consuming external data, so this should not cause security risks, but, still…
It’s not very clear what to move to. https://github.com/kubernetes-sigs/yaml ==
sigs.k8s.io/yamlcontains a fork ofyaml.v3, and Buildah/Podman already depend on that package, so that seems to be a good candidate. But, also, the last tagged release is from Oct 24, 2023 ; and the way the package is used, they includesigs.k8s.io/yaml/goyaml.v2, notsigs.k8s.io/yaml/goyaml.v3.Short-term, it’s slightly annoying that there are many users of
yaml.v3, some somewhat slow-moving, so if we moved, we would probably end up carrying two copies of the code for some time.I think that for now, waiting a bit and seeing whether a consensus emerges doesn’t hurt.