update dependencies; migrate shellescape package to new import path

[pietdevries94]

A little while back the import path of github.com/alessio/shellescape changed to al.essio.dev/pkg/shellescape . This PR handles that, so people can update again.

[mikkeloscar]

👍

[RomanZavodskikh]

👍

[andyfeller]

A little while back the import path of github.com/alessio/shellescape changed to al.essio.dev/pkg/shellescape . This PR handles that, so people can update again.

Could you explain the benefits and tradeoffs involved with source Go modules from GitHub Pages?

I understand alessio/shellescape#26 changed this, however my knee jerk is holding off upgrading zalando/go-keyring until the security implications of dependencies hosted on GitHub Pages can be assessed.

[mikkeloscar]

I think this is best raised to the upstream as we have no influence how the upstream module is defined.

My understanding is that without this change we block updating zalando/go-keyring via Go modules. If that is not the case, then this is maybe not needed. I agree that it's questionable in terms of security and reliability to not rely on github.com paths when the module code is anyway on github.com.

[szuecs]

@mikkeloscar you can also inline the code. The repository is about 3 functions in total so a little dependency is worse than a little copy.

[andyfeller]

I think this is best raised to the upstream as we have no influence how the upstream module is defined.

My understanding is that without this change we block updating zalando/go-keyring via Go modules. If that is not the case, then this is maybe not needed. I agree that it's questionable in terms of security and reliability to not rely on github.com paths when the module code is anyway on github.com.

Are you saying that newer releases of alessio/shellescape could not be retrieved via the previous method of specifying the module (github.com/alessio/shellescape v1.5.1)?

As far as I know, ☝️ should have continued to work irregardless of what the go.mod said the module's name actually was.

My concerns

If you look at the source of https://al.essio.dev/, it appears this is the alessio/alessio.github.io GitHub Pages repo that is making API calls to present information to the consumer:

<html>
  <body>
    <script>
      (async () => {
        const response = await fetch('https://api.github.com/repos/alessio/alessio.github.io/contents/');
        const data = await response.json();
        let htmlString = '<ul>';
        for (let file of data) {
          htmlString += `<li><a href="${file.path}">${file.name}</a></li>`;
        }
        htmlString += '</ul>';
        document.getElementsByTagName('body')[0].innerHTML = htmlString;
      })()
    </script>
  <body>
</html>

Again, this doesn't objectively add anything and raises questions about exactly what is sourced.

[mikkeloscar]

What I mean is you get this error:

diff --git a/go.mod b/go.mod
index 8731939..a58030e 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/zalando/go-keyring
 go 1.18

 require (
-       al.essio.dev/pkg/shellescape v1.5.1
+       github.com/alessio/shellescape v1.5.1
        github.com/danieljoos/wincred v1.2.2
        github.com/godbus/dbus/v5 v5.1.0
 )

go mod tidy
go: github.com/zalando/go-keyring imports
	al.essio.dev/pkg/shellescape: github.com/alessio/shellescape@v1.5.1: parsing go.mod:
	module declares its path as: al.essio.dev/pkg/shellescape
	        but was required as: github.com/alessio/shellescape
go: github.com/zalando/go-keyring imports
	github.com/danieljoos/wincred tested by
	github.com/danieljoos/wincred.test imports
	github.com/stretchr/testify/assert: github.com/alessio/shellescape@v1.5.1: parsing go.mod:
	module declares its path as: al.essio.dev/pkg/shellescape
	        but was required as: github.com/alessio/shellescape
go: github.com/zalando/go-keyring imports
	github.com/danieljoos/wincred tested by
	github.com/danieljoos/wincred.test imports
	github.com/stretchr/testify/mock: github.com/alessio/shellescape@v1.5.1: parsing go.mod:
	module declares its path as: al.essio.dev/pkg/shellescape
	        but was required as: github.com/alessio/shellescape

Again, this doesn't objectively add anything and raises questions about exactly what is sourced.

I don't disagree, but unless there is a practical way to work around it we can't without discussing these points with upstream (or inline the functions as @szuecs suggested).

[williammartin]

I created #117 for inlining this. I think it's a good idea, but I also don't think it's the end of the world if we don't. I just thought that since we cared a bit in gh, that we should do the legwork to propose it.