Summary
The project directly depends on lipgloss v2 (charm.land/lipgloss/v2 v2.0.3) but also transitively pulls in lipgloss v1 (github.com/charmbracelet/lipgloss v1.1.1-pseudo) via the glamour v1.0.0 dependency. Both major versions are compiled into the binary, increasing binary size and creating potential for import confusion.
Details
| Field |
Value |
| File |
go.mod (lines 8, 11, 26) |
| Severity |
Medium |
| Category |
Dependencies / Binary size |
Current state in go.mod
| Dependency |
Version |
Type |
| charm.land/lipgloss/v2 |
v2.0.3 |
direct |
| github.com/charmbracelet/glamour |
v1.0.0 |
direct |
| github.com/charmbracelet/lipgloss |
v1.1.1-pseudo |
indirect (via glamour) |
Impact
- Two separate copies of the lipgloss rendering engine are compiled into the final binary
- Contributors may accidentally import the wrong major version
- Binary size is unnecessarily inflated
Suggested fix
Check if a newer version of glamour supports lipgloss v2 natively. If so, upgrade:
go get -u github.com/charmbracelet/glamour
go mod tidy
If no v2-compatible glamour release exists yet, this is blocked upstream. In that case, add a comment in go.mod documenting the dual-dependency situation so it can be resolved when glamour upgrades.
Summary
The project directly depends on lipgloss v2 (charm.land/lipgloss/v2 v2.0.3) but also transitively pulls in lipgloss v1 (github.com/charmbracelet/lipgloss v1.1.1-pseudo) via the glamour v1.0.0 dependency. Both major versions are compiled into the binary, increasing binary size and creating potential for import confusion.
Details
Current state in go.mod
Impact
Suggested fix
Check if a newer version of glamour supports lipgloss v2 natively. If so, upgrade:
If no v2-compatible glamour release exists yet, this is blocked upstream. In that case, add a comment in go.mod documenting the dual-dependency situation so it can be resolved when glamour upgrades.