Abandoned packages

[sagikazarmark]

There are a couple packages that seem to be abandoned and outdated (ie. dependencies are old, no go.mod, etc).

These are:

• github.com/performancecopilot/speed (see Is this package still maintained? performancecopilot/speed#59)
• github.com/hudl/fargo (see Is this package still maintained? hudl/fargo#74)

If there is no answer, I propose we fork them, make the necessary updates and use the forks as drop-in replacements. Before we do that, though, we should consider whether we want to keep these in the core in the first place. It might not worth the hassle if they get moved out of the core. So this issue is a conversation starter.

Related #843

[peterbourgon]

I'd much rather drop them altogether.

[sagikazarmark]

Works for me, although I already got them both to update to modules and release versions.

[bnevis-i]

Additionally, aws-sdk-go@v1.38.68 is introducing transitive vulnerabilities into this package (CVE-2020-9283). Bringing the whole go.mod up to date in general would be a good idea.

[peterbourgon]

We did that like two weeks ago. Ugh. What a waste of time.

[bnevis-i]

Actually, I take that back. aws-sdk doesn't have direct dependency on the broken library. Egg on my face :-(

[peterbourgon]

Not at all, best news I've heard today.

[sagikazarmark]

@peterbourgon I'd suggest updating these two packages and at the same time deprecating them in the next release.

Are there any other packages that we should deprecate? Should we start planning for #843?

[sagikazarmark]

Closing as both libraries have been updated.